Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-239074 | PHTN-67-000002 | SV-239074r675030_rule | Medium |
Description |
---|
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128 |
STIG | Date |
---|---|
VMware vSphere 6.7 Photon OS Security Technical Implementation Guide | 2022-01-03 |
Check Text ( C-42285r675028_chk ) |
---|
At the command line, execute the following command: # grep pam_tally2 /etc/pam.d/system-auth|grep --color=always "deny=." Expected result: auth required pam_tally2.so file=/var/log/tallylog deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300 If the output does not match the expected result, this is a finding. |
Fix Text (F-42244r675029_fix) |
---|
Open /etc/pam.d/system-auth with a text editor. Add the following line after the last auth statement: auth required pam_tally2.so file=/var/log/tallylog deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300 |