STIGQter: STIG Summary: VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018:

The SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.

DISA Rule

SV-99313r1_rule

Vulnerability Number

V-88663

Group Title

SRG-OS-000329-GPOS-00128

Rule Version

VROM-SL-001010

Severity

CAT III

CCI(s)

CCI-002238 - The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

Weight

Fix Recommendation

Edit "/etc/pam.d/common-auth" file and add the following line:

auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300

Edit "/etc/pam.d/common-account" file and add the following line:

account required pam_tally2.so

Check Contents

Check the "pam_tally2" configuration:

# more /etc/pam.d/common-auth

Confirm the following line is configured:

auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_ti
me=86400 root_unlock_time=300

# more /etc/pam.d/common-account

Confirm the following line is configured:

account required pam_tally2.so

If no such lines are found, this is a finding.

The SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments