UCF STIG Viewer Logo

The Photon operating system must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.


Finding ID Version Rule ID IA Controls Severity
V-258861 PHTN-40-000195 SV-258861r933644_rule Medium
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Unless specified the root account is not included in the default faillock module options and should be included.
VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide 2023-10-29


Check Text ( C-62601r933642_chk )
At the command line, run the following command to verify accounts are locked after three consecutive invalid logon attempts by a user during a 15-minute time period includes the root account:

# grep '^even_deny_root' /etc/security/faillock.conf

Example result:


If the "even_deny_root" option is not set, is missing or commented out, this is a finding.

Note: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files.
Fix Text (F-62510r933643_fix)
Navigate to and open:


Add or update the following lines:


Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.