Limit the Number of Concurrent Login Sessions Allowed Per User

An XCCDF Rule

Description

Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf or a file under /etc/security/limits.d/:

* hard maxlogins

Rationale

Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.

ID: xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions
Severity: Low
References: 14 15 18 9

5.5.2.2

DSS01.05 DSS05.02

CCI-000054

4.3.3.4

SR 3.1 SR 3.8

A.13.1.1 A.13.1.3 A.13.2.1 A.14.1.2 A.14.1.3

CIP-007-3 R5.1 CIP-007-3 R5.1.2

AC-10 CM-6(a)

PR.AC-5

SRG-OS-000027-GPOS-00008

RHEL-07-040000

SV-204576r877399_rule

CCE-82041-5
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-82041-5
  - CJIS-5.5.2.2  - DISA-STIG-RHEL-07-040000
  - NIST-800-53-AC-10
  - NIST-800-53-CM-6(a)
  - accounts_max_concurrent_login_sessions
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_accounts_max_concurrent_login_sessions # promote to variable
  set_fact:
    var_accounts_max_concurrent_login_sessions: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions" use="legacy"/>
  tags:
    - always

- name: Find /etc/security/limits.d files containing maxlogins configuration
  find:
    paths: /etc/security/limits.d
    contains: ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins
    patterns: '*.conf'
  register: maxlogins
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-82041-5
  - CJIS-5.5.2.2
  - DISA-STIG-RHEL-07-040000
  - NIST-800-53-AC-10
  - NIST-800-53-CM-6(a)
  - accounts_max_concurrent_login_sessions
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy

- name: Limit the Number of Concurrent Login Sessions Allowed Per User in files from
    limits.d
  replace:
    dest: '{{ item.path }}'
    regexp: ^#?\*.*maxlogins.*
    replace: '*          hard    maxlogins     {{ var_accounts_max_concurrent_login_sessions
      }}'
  with_items:
  - '{{ maxlogins.files }}'
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-82041-5
  - CJIS-5.5.2.2
  - DISA-STIG-RHEL-07-040000
  - NIST-800-53-AC-10
  - NIST-800-53-CM-6(a)
  - accounts_max_concurrent_login_sessions
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy

- name: Limit the Number of Concurrent Login Sessions Allowed Per User
  lineinfile:
    state: present
    dest: /etc/security/limits.conf
    insertbefore: ^# End of file
    regexp: ^#?\*.*maxlogins
    line: '*          hard    maxlogins     {{ var_accounts_max_concurrent_login_sessions
      }}'
    create: true
  when:
  - '"pam" in ansible_facts.packages'
  - maxlogins.matched == 0
  tags:
  - CCE-82041-5
  - CJIS-5.5.2.2
  - DISA-STIG-RHEL-07-040000
  - NIST-800-53-AC-10
  - NIST-800-53-CM-6(a)
  - accounts_max_concurrent_login_sessions
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

var_accounts_max_concurrent_login_sessions='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions" use="legacy"/>'

if grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.d/*.conf; then
	sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf
elif grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.conf; then
	sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf
else
	echo "*	hard	maxlogins	$var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Limit the Number of Concurrent Login Sessions Allowed Per User

Description

Rationale

Remediation - Ansible

Remediation - Shell Script