Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-766 | GEN000460 | SV-44834r1_rule | Medium |
Description |
---|
Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks. |
STIG | Date |
---|---|
SUSE Linux Enterprise Server v11 for System z | 2016-12-20 |
Check Text ( C-42305r1_chk ) |
---|
Check the pam_tally configuration. # more /etc/pam.d/login Confirm the following line is configured, before the "common-auth” file is included: auth required pam_tally.so deny=3 onerr=fail # more /etc/pam.d/sshd Confirm the following line is configured, before the "common-auth” file is included: auth required pam_tally.so deny=3 onerr=fail If no such line is found, this is a finding. |
Fix Text (F-38271r1_fix) |
---|
Edit /etc/pam.d/login and/or /etc/pam.d/sshd and add the following line, before the "common-auth" file is included: auth required pam_tally.so deny=3 onerr=fail |