Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Photon operating system must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-258861 | PHTN-40-000195 | SV-258861r933644_rule | Medium |
| Description |
|---|
| By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Unless specified the root account is not included in the default faillock module options and should be included. |
| STIG | Date |
|---|---|
| VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide | 2023-10-29 |
Details
| Check Text ( C-62601r933642_chk ) |
|---|
| At the command line, run the following command to verify accounts are locked after three consecutive invalid logon attempts by a user during a 15-minute time period includes the root account: # grep '^even_deny_root' /etc/security/faillock.conf Example result: even_deny_root If the "even_deny_root" option is not set, is missing or commented out, this is a finding. Note: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files. |
| Fix Text (F-62510r933643_fix) |
|---|
| Navigate to and open: /etc/security/faillock.conf Add or update the following lines: even_deny_root Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot. |