The HYCU virtual appliance must be configured to enforce the limit of three consecutive invalid login attempts, after which time it must block any login attempt for 15 minutes.

Quick Actions

We are continuing to improve Stigviewer and we are planning on rolling out new services in the near future. Would you like to be part of the conversation on what those features should be? If so, click here.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-268227	HYCU-ND-000090	SV-268227r1038750_rule		Medium

Description

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.

STIG	Date
HYCU Protege Security Technical Implementation Guide	2024-10-29

Details

Check Text (C-72248r1038639_chk)

Log in to the HYCU VM console and go to the "/etc/pam.d/" folder. Verify that "password-auth" and "system-auth" contain the following three lines, and the values for deny and unlock_time are as shown.

Commands:
sudo grep pam_faillock.so /etc/pam.d/password-auth
sudo grep pam_faillock.so /etc/pam.d/system-auth

Both should displays the following three lines:
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=60 unlock_time=900
auth required pam_faillock.so authfail audit unlock_time=900
account required pam_faillock.so

If the required content is not present, this is a finding.

Fix Text (F-72151r1038749_fix)

Log in to the server virtual console and navigate to the "/etc/pam.d/" folder.

Move the current configuration and make new copies to be edited by executing the following commands:

sudo cp password-auth password-auth-as

sudo cp system-auth system-auth-as

Edit the files "password-auth" and "system-auth".

Add the lines:
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=60 unlock_time=900
after line
auth required pam_env.so

Add:
auth required pam_faillock.so authfail audit unlock_time=900
after
auth sufficient pam_unix.so nullok

Add:
account required pam_faillock.so
before
account required pam_unix.so

The files "system-auth" and "password-auth" are identical, so the procedure can be done on one of the files and copied to the second one.

Restart sssd service:
sudo systemctl restart sssd.service

STIG VIEWER