The system must disable accounts after three consecutive unsuccessful login attempts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-766 | GEN000460 | SV-44834r1_rule | Medium |
| Description |
|---|
| Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks. |
| STIG | Date |
|---|---|
| SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide | 2018-09-19 |
Details
| Check Text ( C-42305r1_chk ) |
|---|
| Check the pam_tally configuration. # more /etc/pam.d/login Confirm the following line is configured, before the "common-auth” file is included: auth required pam_tally.so deny=3 onerr=fail # more /etc/pam.d/sshd Confirm the following line is configured, before the "common-auth” file is included: auth required pam_tally.so deny=3 onerr=fail If no such line is found, this is a finding. |
| Fix Text (F-38271r1_fix) |
|---|
| Edit /etc/pam.d/login and/or /etc/pam.d/sshd and add the following line, before the "common-auth" file is included: auth required pam_tally.so deny=3 onerr=fail |