Information
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
Solution
Navigate to and open:
/etc/pam.d/system-auth
Remove any existing 'pam_tally2.so' line and add the following line after the 'pam_unix.so' statement:
auth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
Navigate to and open:
/etc/pam.d/system-account
Remove any existing 'pam_tally2.so' line and add the following line after the 'pam_unix.so' statement:
account required pam_tally2.so onerr=fail audit
Note: On vCenter appliances, the equivalent file must be edited under '/etc/applmgmt/appliance', if one exists, for the changes to persist after a reboot.