UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must disable accounts after three consecutive unsuccessful login attempts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-766 GEN000460 SV-37203r1_rule ECLO-1 ECLO-2 Medium
Description
Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks.
STIG Date
Red Hat Enterprise Linux 5 Security Technical Implementation Guide 2015-06-12

Details

Check Text ( C-35895r1_chk )
Check the pam_tally configuration.
# more /etc/pam.d/system-auth
Confirm the following line is configured, before any "auth sufficient" lines:
auth required pam_tally2.so deny=3
If no such line is found, this is a finding.
Fix Text (F-31153r1_fix)
By default link /etc/pam.d/system-auth points to /etc/pam.d/system-auth-ac which is the file maintained by the authconfig utility. In order to add pam options other than those available via the utility create /etc/pam.d/system-auth-local with the options and including system-auth-ac. In order to set the account lockout to three failed attempts the content should be similar to:

auth required pam_access.so
auth required pam_tally2.so deny=3
auth include system-auth-ac
account required pam_tally2.so
account include system-auth-ac
password include system-auth-ac
session include system-auth-ac

Once system-auth-local is written reset the /etc/pam.d/system-auth to point to system-auth-local. This is necessary because authconfig writes directly to system-auth-ac so any changes made by hand will be lost if authconfig is run.