OpenControls Logo

STIG Viewer

The HYCU virtual appliance must be configured to enforce the limit of three consecutive invalid login attempts, after which time it must block any login attempt for 15 minutes.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-268227HYCU-ND-000090SV-268227r1038750_ruleCCI-000044medium
Description
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
STIGDate
HYCU Protege Security Technical Implementation Guide2024-10-29

Details

Check Text (C-268227r1038750_chk)

Log in to the HYCU VM console and go to the "/etc/pam.d/" folder. Verify that "password-auth" and "system-auth" contain the following three lines, and the values for deny and unlock_time are as shown. Commands: sudo grep pam_faillock.so /etc/pam.d/password-auth sudo grep pam_faillock.so /etc/pam.d/system-auth Both should displays the following three lines: auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=60 unlock_time=900 auth required pam_faillock.so authfail audit unlock_time=900 account required pam_faillock.so If the required content is not present, this is a finding.

Fix Text (F-72151r1038749_fix)

Log in to the server virtual console and navigate to the "/etc/pam.d/" folder. Move the current configuration and make new copies to be edited by executing the following commands: sudo cp password-auth password-auth-as sudo cp system-auth system-auth-as Edit the files "password-auth" and "system-auth". Add the lines: auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=60 unlock_time=900 after line auth required pam_env.so Add: auth required pam_faillock.so authfail audit unlock_time=900 after auth sufficient pam_unix.so nullok Add: account required pam_faillock.so before account required pam_unix.so The files "system-auth" and "password-auth" are identical, so the procedure can be done on one of the files and copied to the second one. Restart sssd service: sudo systemctl restart sssd.service