The operating system, when the maximum number of unsuccessful attempts is exceeded, must automatically lock the account for an organization-defined time period or must lock the account until released by an administrator IAW organizational policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-OS-000022-ESXI5-PNF	SRG-OS-000022-ESXI5-PNF	SRG-OS-000022-ESXI5-PNF_rule		Medium

Description
Anytime an authentication method is exposed to allow for the utilization of an operating system, there is a risk that attempts will be made to obtain unauthorized access. To defeat these attempts, organizations define the number of times a user account may consecutively fail a login attempt. The organization also defines the period of time in which these consecutive failed attempts may occur. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. Applicable, but permanent not-a-finding - Lockdown mode (required) limits access via the vpxuser proxy (password is 32 chars, not configurable, and changed every 30 days "or" sooner when/if a new host is configured/controlled by the vCenter Server). root is the only local account and must never be locked out. Active Directory (w/roles) are required for all other accounts. No non-privileged users on the hypervisor.

Description

Anytime an authentication method is exposed to allow for the utilization of an operating system, there is a risk that attempts will be made to obtain unauthorized access. To defeat these attempts, organizations define the number of times a user account may consecutively fail a login attempt. The organization also defines the period of time in which these consecutive failed attempts may occur. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. Applicable, but permanent not-a-finding - Lockdown mode (required) limits access via the vpxuser proxy (password is 32 chars, not configurable, and changed every 30 days "or" sooner when/if a new host is configured/controlled by the vCenter Server). root is the only local account and must never be locked out. Active Directory (w/roles) are required for all other accounts. No non-privileged users on the hypervisor.

STIG	Date
VMware ESXi v5 Security Technical Implementation Guide	2013-01-15

Details

Check Text ( C-SRG-OS-000022-ESXI5-PNF_chk )
ESXi supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding.

Fix Text (F-SRG-OS-000022-ESXI5-PNF_fix)
This requirement is permanent not a finding. No fix is required.