The Photon operating system must audit logon attempts for unknown users.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-258860	SRG-OS-000021-GPOS-00005	PHTN-40-000194	SV-258860r958388_rule	2024-07-11	2

Description
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.

ℹ️ Check
At the command line, run the following command to verify that audit logon attempts for unknown users is performed: # grep '^audit' /etc/security/faillock.conf Example result: audit If the "audit" option is not set, is missing or commented out, this is a finding. Note: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files.

ℹ️ Check

At the command line, run the following command to verify that audit logon attempts for unknown users is performed: # grep '^audit' /etc/security/faillock.conf Example result: audit If the "audit" option is not set, is missing or commented out, this is a finding. Note: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files.

✔️ Fix
Navigate to and open: /etc/security/faillock.conf Add or update the following lines: audit Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.