STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:SV-208836r603263_rule
V-208836
SRG-OS-000021
OL6-00-000061
CAT II
10
To configure the system to lock out accounts after a number of incorrect logon attempts using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows:
Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section:
auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900
Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section:
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900
Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section:
account required pam_faillock.so
Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
To ensure the failed password attempt policy is configured correctly, run the following command:
# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
The output should show "deny=3" for both files.
If that is not the case, this is a finding.
V-208836
False
OL6-00-000061
To ensure the failed password attempt policy is configured correctly, run the following command:
# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
The output should show "deny=3" for both files.
If that is not the case, this is a finding.
M
2928