The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256479 | PHTN-30-000002 | SV-256479r958388_rule | CCI-000044 | medium |
| Description | ||||
| By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128 | ||||
| STIG | Date | |||
| VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide | 2024-12-16 | |||
Details
Check Text (C-256479r958388_chk)
At the command line, run the following commands:
# grep pam_tally2 /etc/pam.d/system-auth
Expected result:
auth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
# grep pam_tally2 /etc/pam.d/system-account
Expected result:
account required pam_tally2.so onerr=fail audit
If the output does not list the "pam_tally2" options as configured in the expected results, this is a finding.
Fix Text (F-60097r887110_fix)
Navigate to and open:
/etc/pam.d/system-auth
Remove any existing "pam_tally2.so" line and add the following line after the "pam_unix.so" statement:
auth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
Navigate to and open:
/etc/pam.d/system-account
Remove any existing "pam_tally2.so" line and add the following line after the "pam_unix.so" statement:
account required pam_tally2.so onerr=fail audit
Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.