Detections
Analytics
RHEL-06-000357 - The system must disable accounts after excessive login failures within a 15-minute interval - password-auth account required
Information
Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.Solution
Utilizing 'pam_faillock.so', the 'fail_interval' directive configures the system to lock out accounts after a number of incorrect logon attempts. Modify the content of both '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' as follows:Add the following line immediately before the 'pam_unix.so' statement in the 'AUTH' section:
auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900
Add the following line immediately after the 'pam_unix.so' statement in the 'AUTH' section:
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900
Add the following line immediately before the 'pam_unix.so' statement in the 'ACCOUNT' section:
account required pam_faillock.so
Note that any updates made to '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' may be overwritten by the 'authconfig' program. The 'authconfig' program should not be used.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_6_V2R2_STIG.zip
Item Details
Audit Name: DISA Red Hat Enterprise Linux 6 STIG v2r2
Category: ACCESS CONTROL
References: 800-53|AC-7b., CAT|II, CCI|CCI-002238, Rule-ID|SV-218082r603264_rule, STIG-ID|RHEL-06-000357, STIG-Legacy|SV-50302, STIG-Legacy|V-38501, Vuln-ID|V-218082
Plugin: Unix
Control ID: a1b4df5223b1b642dc5843aa7b340ab3b57da34abfb00ee9cffc39080fffe347