Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
RHEL-06-000055 | RHEL-06-000055 | RHEL-06-000055_rule | Low |
Description |
---|
Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. |
STIG | Date |
---|---|
Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2013-02-05 |
Check Text ( C-RHEL-06-000055_chk ) |
---|
To check how many retry attempts are permitted on a per-session basis, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The "retry" parameter will indicate how many attempts are permitted. The DoD required value is 3. This would appear as "retry=3". If it is not the required value, this is a finding. |
Fix Text (F-RHEL-06-000055_fix) |
---|
To configure the number of retry prompts that are permitted per-session: Edit the "pam_cracklib.so" statement in "/etc/pam.d/system-auth" to show "retry=3". The DoD requirement is 3 prompts per session. |