Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-256479 | PHTN-30-000002 | SV-256479r887111_rule | Medium |
| Description |
|---|
| By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128 |
| STIG | Date |
|---|---|
| VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide | 2023-02-21 |
Details
| Check Text ( C-60154r887109_chk ) |
|---|
| At the command line, run the following commands: # grep pam_tally2 /etc/pam.d/system-auth Expected result: auth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300 # grep pam_tally2 /etc/pam.d/system-account Expected result: account required pam_tally2.so onerr=fail audit If the output does not list the "pam_tally2" options as configured in the expected results, this is a finding. |
| Fix Text (F-60097r887110_fix) |
|---|
| Navigate to and open: /etc/pam.d/system-auth Remove any existing "pam_tally2.so" line and add the following line after the "pam_unix.so" statement: auth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300 Navigate to and open: /etc/pam.d/system-account Remove any existing "pam_tally2.so" line and add the following line after the "pam_unix.so" statement: account required pam_tally2.so onerr=fail audit Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot. |