UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must reject session authentication after three consecutive failed authentication attempts.


Overview

Finding ID Version Rule ID IA Controls Severity
RHEL-06-000055 RHEL-06-000055 RHEL-06-000055_rule Low
Description
Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module.
STIG Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2013-02-05

Details

Check Text ( C-RHEL-06-000055_chk )
To check how many retry attempts are permitted on a per-session basis, run the following command:

$ grep pam_cracklib /etc/pam.d/system-auth

The "retry" parameter will indicate how many attempts are permitted. The DoD required value is 3. This would appear as "retry=3".
If it is not the required value, this is a finding.
Fix Text (F-RHEL-06-000055_fix)
To configure the number of retry prompts that are permitted per-session:

Edit the "pam_cracklib.so" statement in "/etc/pam.d/system-auth" to show "retry=3".

The DoD requirement is 3 prompts per session.