SLES-12-010130 - The SUSE operating system must lock an account after three consecutive invalid access attempts.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


By limiting the number of failed access attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.

The module maintains a count of attempted accesses. This includes user name entry into a logon field as well as password entry. With counting access attempts, it is possible to lock an account without presenting a password into the password field. This should be taken into consideration as it poses as an avenue for denial of service.


Configure the operating system to lock an account when three unsuccessful access attempts occur.

Modify the first line of the auth section '/etc/pam.d/common-auth' file to match the following lines:

auth required onerr=fail silent audit deny=3

Add or modify the following line in the /etc/pam.d/common-account file:
account required

Note: Manual changes to the listed files may be overwritten by the 'pam-config' program. The 'pam-config' program should not be used to update the configurations listed in this requirement.

See Also

Item Details

References: CAT|II, CCI|CCI-000044, Rule-ID|SV-217114r603262_rule, STIG-ID|SLES-12-010130, STIG-Legacy|SV-91767, STIG-Legacy|V-77071, Vuln-ID|V-217114

Plugin: Unix

Control ID: fc3d3ad3d184c0e90183ddabe906693b5699831f94212228fdeec654d4bae3ea