The HYCU virtual appliance must be configured to enforce the limit of three consecutive invalid login attempts, after which time it must block any login attempt for 15 minutes.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-268227	SRG-APP-000065-NDM-000214	HYCU-ND-000090	SV-268227r1038750_rule	2024-10-29	1

Description
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.

ℹ️ Check
Log in to the HYCU VM console and go to the "/etc/pam.d/" folder. Verify that "password-auth" and "system-auth" contain the following three lines, and the values for deny and unlock_time are as shown. Commands: sudo grep pam_faillock.so /etc/pam.d/password-auth sudo grep pam_faillock.so /etc/pam.d/system-auth Both should displays the following three lines: auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=60 unlock_time=900 auth required pam_faillock.so authfail audit unlock_time=900 account required pam_faillock.so If the required content is not present, this is a finding.

ℹ️ Check

Log in to the HYCU VM console and go to the "/etc/pam.d/" folder. Verify that "password-auth" and "system-auth" contain the following three lines, and the values for deny and unlock_time are as shown. Commands: sudo grep pam_faillock.so /etc/pam.d/password-auth sudo grep pam_faillock.so /etc/pam.d/system-auth Both should displays the following three lines: auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=60 unlock_time=900 auth required pam_faillock.so authfail audit unlock_time=900 account required pam_faillock.so If the required content is not present, this is a finding.

✔️ Fix
Log in to the server virtual console and navigate to the "/etc/pam.d/" folder. Move the current configuration and make new copies to be edited by executing the following commands: sudo cp password-auth password-auth-as sudo cp system-auth system-auth-as Edit the files "password-auth" and "system-auth". Add the lines: auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=60 unlock_time=900 after line auth required pam_env.so Add: auth required pam_faillock.so authfail audit unlock_time=900 after auth sufficient pam_unix.so nullok Add: account required pam_faillock.so before account required pam_unix.so The files "system-auth" and "password-auth" are identical, so the procedure can be done on one of the files and copied to the second one. Restart sssd service: sudo systemctl restart sssd.service

✔️ Fix

Log in to the server virtual console and navigate to the "/etc/pam.d/" folder. Move the current configuration and make new copies to be edited by executing the following commands: sudo cp password-auth password-auth-as sudo cp system-auth system-auth-as Edit the files "password-auth" and "system-auth". Add the lines: auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=60 unlock_time=900 after line auth required pam_env.so Add: auth required pam_faillock.so authfail audit unlock_time=900 after auth sufficient pam_unix.so nullok Add: account required pam_faillock.so before account required pam_unix.so The files "system-auth" and "password-auth" are identical, so the procedure can be done on one of the files and copied to the second one. Restart sssd service: sudo systemctl restart sssd.service