Nutanix AOS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.

An XCCDF Rule

Description

<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-254131r846481_rule
Severity: Medium
References: CCI-000044 CCI-002238
Updated: about 1 year ago

Configure the pam.d modules to comply with the locking an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command:

1. Enable high-strength passwords:
$ ncli cluster edit-cvm-security-params enable-high-strength-password=true

2. After enabling the high-strength passwords, the system will process the salt stack to enable the DoD versions of the pam.d files. Recheck the Check Text for compliance.  
To run the salt command manually to enable the pam.d auth files, run the following command (high-strength passwords must be set to true):
$ sudo salt-call state.sls security/CVM/pamCVM

Nutanix AOS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.

Description

Remediation - Manual Procedure