The HYCU VM console must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any logon attempt for 15 minutes.

An XCCDF Rule

Description

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.

ID: SV-246826r768142_rule
Severity: Medium
References: CCI-000044
Updated: about 8 hours ago

Remediation Templates

Go to the "/etc/pam.d/" folder.

Move the current configuration and make new copies to be edited by executing the following commands:
sudo mv password-auth password-auth-as

sudo mv system-auth system-auth-as
sudo cp password-auth-as password-auth

sudo cp system-auth-as system-auth

Edit the files "password-auth" and "system-auth".

Add the lines:
auth        required                                     pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=60 unlock_time=900
 after line 
auth        required                                     pam_env.so

Add:
auth        required                                     pam_faillock.so authfail audit unlock_time=900
after
auth        sufficient                                   pam_unix.so nullok try_first_pass

Add:
account     required                                     pam_faillock.so
before 
account     required                                     pam_unix.so

The files "system-auth" and "password-auth" are identical, so the procedure can be done on one of the files and copied to the second one.

Restart sssd service:
sudo systemctl restart sssd.service

The HYCU VM console must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any logon attempt for 15 minutes.

Description

Remediation Templates

A Manual Procedure