Check: GEN000000-HPUX0210
HP-UX 11.31 STIG:
GEN000000-HPUX0210
(in versions v1 r19 through v1 r13)
Title
The system must disable accounts after three consecutive unsuccessful SSH login attempts. (Cat II impact)
Discussion
Disabling accounts after a limited number of unsuccessful SSH login attempts improves protection against password guessing attacks.
Check Content
If the system is operating in Trusted Mode, this check is not applicable. For SMSE: The “UsePAM” attribute in the /opt/ssh/etc/sshd_config configuration file controls whether an account is locked after too many consecutive SSH authentication failures. The default “UsePAM” attribute setting is “no”. Verify the global setting for “UsePAM” is set to “yes”. # cat /opt/ssh/etc/sshd_config | sed -e 's/^[ \t]*//' grep -v “#” | grep “^UsePAM” If the /opt/ssh/etc/sshd_config configuration file attribute “UsePAM” is not set to “yes”, this is a finding.
Fix Text
If the system is operating in Trusted Mode, no fix is required. For SMSE only: Edit the /opt/ssh/etc/sshd_config file and add/uncomment/update the “UsePAM” attribute. See the below example: UsePAM yes Save any change(s) before exiting the editor.
Additional Identifiers
Rule ID: SV-52335r1_rule
Vulnerability ID: V-40355
Group Title: GEN000000-HPUX0210
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |