UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must disable accounts after three consecutive unsuccessful login attempts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-766 GEN000460 SV-44834r1_rule ECLO-1 ECLO-2 Medium
Description
Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks.
STIG Date
SUSE Linux Enterprise Server v11 for System z 2015-01-26

Details

Check Text ( C-42305r1_chk )
Check the pam_tally configuration.
# more /etc/pam.d/login
Confirm the following line is configured, before the "common-auth” file is included:
auth required pam_tally.so deny=3 onerr=fail
# more /etc/pam.d/sshd
Confirm the following line is configured, before the "common-auth” file is included:
auth required pam_tally.so deny=3 onerr=fail

If no such line is found, this is a finding.
Fix Text (F-38271r1_fix)
Edit /etc/pam.d/login and/or /etc/pam.d/sshd and add the following line, before the "common-auth" file is included:
auth required pam_tally.so deny=3 onerr=fail