The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-258869 | SRG-OS-000480-GPOS-00226 | PHTN-40-000206 | SV-258869r1003654_rule | 2024-07-11 | 2 |
Description
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
ℹ️ Check
At the command line, run the following command to verify the pam_faildelay.so module is used:
# grep '^auth' /etc/pam.d/system-auth
Example result:
auth required pam_faillock.so preauth
auth required pam_unix.so
auth required pam_faillock.so authfail
auth optional pam_faildelay.so delay=4000000
If the pam_faildelay.so module is not present with the delay set to at least four seconds, this is a finding.
Note: The delay is configured in microseconds.
✔️ Fix
Navigate to and open:
/etc/pam.d/system-auth
Add or update the following line:
auth optional pam_faildelay.so delay=4000000
Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.