Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The system must reject session authentication after three consecutive failed authentication attempts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| RHEL-06-000055 | RHEL-06-000055 | RHEL-06-000055_rule | Low |
| Description |
|---|
| Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2013-02-05 |
Details
| Check Text ( C-RHEL-06-000055_chk ) |
|---|
| To check how many retry attempts are permitted on a per-session basis, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The "retry" parameter will indicate how many attempts are permitted. The DoD required value is 3. This would appear as "retry=3". If it is not the required value, this is a finding. |
| Fix Text (F-RHEL-06-000055_fix) |
|---|
| To configure the number of retry prompts that are permitted per-session: Edit the "pam_cracklib.so" statement in "/etc/pam.d/system-auth" to show "retry=3". The DoD requirement is 3 prompts per session. |