Check: UBTU-16-010290
Canonical Ubuntu 16.04 LTS STIG:
UBTU-16-010290
(in versions v2 r3 through v1 r3)
Title
The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts. (Cat II impact)
Discussion
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
Check Content
Verify the Ubuntu operating system automatically locks an account until the account lock is released by an administrator when three unsuccessful logon attempts are made. Check that the Ubuntu operating system automatically locks an account after three unsuccessful attempts with the following command: # grep pam_tally /etc/pam.d/common-auth auth required pam_tally2.so onerr=fail deny=3 If "onerr=fail deny=3" is not used in "/etc/pam.d/common-auth" or is called with "unlock_time", this is a finding.
Fix Text
Configure the Ubuntu operating system to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts are made by appending the following line to the "/etc/pam.d/common-auth file": "auth required pam_tally2.so onerr=fail deny=3"
Additional Identifiers
Rule ID: SV-214967r610931_rule
Vulnerability ID: V-214967
Group Title: SRG-OS-000021-GPOS-00005
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000044 |
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
CCI-002238 |
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
Controls
Number | Title |
---|---|
AC-7 |
Unsuccessful Logon Attempts |