The Photon operating system must be configured to use the pam

The Photon operating system must be configured to use the pam_faillock.so module.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258858	PHTN-40-000192	SV-258858r933635_rule		Medium

Description
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. This module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications.

Description

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. This module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications.

STIG	Date
VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide	2023-10-29

Details

Check Text ( C-62598r933633_chk )
At the command line, run the following commands to verify the pam_faillock.so module is used: # grep '^auth' /etc/pam.d/system-auth Example result: auth required pam_faillock.so preauth auth required pam_unix.so auth required pam_faillock.so authfail If the pam_faillock.so module is not present with the "preauth" line listed before pam_unix.so, this is a finding. If the pam_faillock.so module is not present with the "authfail" line listed after pam_unix.so, this is a finding. # grep '^account' /etc/pam.d/system-account Example result: account required pam_faillock.so account required pam_unix.so If the pam_faillock.so module is not present and listed before pam_unix.so, this is a finding.

Check Text ( C-62598r933633_chk )

At the command line, run the following commands to verify the pam_faillock.so module is used:

# grep '^auth' /etc/pam.d/system-auth

Example result:

auth required pam_faillock.so preauth
auth required pam_unix.so
auth required pam_faillock.so authfail

If the pam_faillock.so module is not present with the "preauth" line listed before pam_unix.so, this is a finding.
If the pam_faillock.so module is not present with the "authfail" line listed after pam_unix.so, this is a finding.

# grep '^account' /etc/pam.d/system-account

Example result:

account required pam_faillock.so
account required pam_unix.so

If the pam_faillock.so module is not present and listed before pam_unix.so, this is a finding.

Fix Text (F-62507r933634_fix)
Navigate to and open: /etc/pam.d/system-auth Add or update the following lines making sure to place the preauth line before the pam_unix.so module: auth required pam_faillock.so preauth auth required pam_faillock.so authfail Navigate to and open: /etc/pam.d/system-account Add or update the following lines making sure to place the line before the pam_unix.so module: account required pam_faillock.so Note: The lines shown assume the /etc/security/faillock.conf file is used to configure pam_faillock. Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.

Fix Text (F-62507r933634_fix)

Navigate to and open:

/etc/pam.d/system-auth

Add or update the following lines making sure to place the preauth line before the pam_unix.so module:

auth required pam_faillock.so preauth
auth required pam_faillock.so authfail

Navigate to and open:

/etc/pam.d/system-account

Add or update the following lines making sure to place the line before the pam_unix.so module:

account required pam_faillock.so

Note: The lines shown assume the /etc/security/faillock.conf file is used to configure pam_faillock.

Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.