An error occurred:

Check: GEN000460

SUSE Linux Enterprise Server v11 for System z STIG: GEN000460 (in versions v1 r12 through v1 r9)

Title

The system must disable accounts after three consecutive unsuccessful login attempts. (Cat II impact)

Discussion

Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks.

Check Content

Check the pam_tally configuration. # more /etc/pam.d/login Confirm the following line is configured, before the "common-auth” file is included: auth required pam_tally.so deny=3 onerr=fail # more /etc/pam.d/sshd Confirm the following line is configured, before the "common-auth” file is included: auth required pam_tally.so deny=3 onerr=fail If no such line is found, this is a finding.

Fix Text

Edit /etc/pam.d/login and/or /etc/pam.d/sshd and add the following line, before the "common-auth" file is included: auth required pam_tally.so deny=3 onerr=fail

Additional Identifiers

Rule ID: SV-44834r1_rule

Vulnerability ID: V-766

Group Title: GEN000460

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000044

The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-7

Unsuccessful Logon Attempts