The system must reject session authentication after three consecutive failed authentication attempts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| RHEL-06-000055 | RHEL-06-000055 | RHEL-06-000055_rule | Low |
| Description |
|---|
| Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2013-02-05 |
Details
| Check Text ( C-RHEL-06-000055_chk ) |
|---|
| To check how many retry attempts are permitted on a per-session basis, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The "retry" parameter will indicate how many attempts are permitted. The DoD required value is 3. This would appear as "retry=3". If it is not the required value, this is a finding. |
| Fix Text (F-RHEL-06-000055_fix) |
|---|
| To configure the number of retry prompts that are permitted per-session: Edit the "pam_cracklib.so" statement in "/etc/pam.d/system-auth" to show "retry=3". The DoD requirement is 3 prompts per session. |