Detections
Analytics
PHTN-40-000192 - The Photon operating system must be configured to use the pam_faillock.so module.
Information
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.This module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications.
Solution
Navigate to and open:/etc/pam.d/system-auth
Add or update the following lines making sure to place the preauth line before the pam_unix.so module:
auth required pam_faillock.so preauth
auth required pam_faillock.so authfail
Navigate to and open:
/etc/pam.d/system-account
Add or update the following lines making sure to place the line before the pam_unix.so module:
account required pam_faillock.so
Note: The lines shown assume the /etc/security/faillock.conf file is used to configure pam_faillock.
Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_8-0_Y24M08_STIG.zip
Item Details
Category: ACCESS CONTROL
References: 800-53|AC-7a., CAT|II, CCI|CCI-000044, Rule-ID|SV-258858r958388_rule, STIG-ID|PHTN-40-000192, Vuln-ID|V-258858
Plugin: Unix
Control ID: 8243578f494e923d274cbb42beac8e04cdab5313012eaf68b33cb7e967b0897a