The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258869	PHTN-40-000206	SV-258869r933668_rule		Medium

Description
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.

STIG	Date
VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide	2023-10-29

Details

Check Text ( C-62609r933666_chk )
At the command line, run the following command to verify the pam_faildelay.so module is used: # grep '^auth' /etc/pam.d/system-auth Example result: auth required pam_faillock.so preauth auth required pam_unix.so auth required pam_faillock.so authfail auth optional pam_faildelay.so delay=4000000 If the pam_faildelay.so module is not present with the delay set to at least four seconds, this is a finding. Note: The delay is configured in milliseconds.

Check Text ( C-62609r933666_chk )

At the command line, run the following command to verify the pam_faildelay.so module is used:

# grep '^auth' /etc/pam.d/system-auth

Example result:

auth required pam_faillock.so preauth
auth required pam_unix.so
auth required pam_faillock.so authfail
auth optional pam_faildelay.so delay=4000000

If the pam_faildelay.so module is not present with the delay set to at least four seconds, this is a finding.

Note: The delay is configured in milliseconds.

Fix Text (F-62518r933667_fix)
Navigate to and open: /etc/pam.d/system-auth Add or update the following line: auth optional pam_faildelay.so delay=4000000 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.