STIGQter STIGQter: STIG Summary: Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 10 Mar 2021:

The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.

DISA Rule

SV-238235r653880_rule

Vulnerability Number

V-238235

Group Title

SRG-OS-000329-GPOS-00128

Rule Version

UBTU-20-010072

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure the Ubuntu operating system to lock an account after three unsuccessful login attempts.

Edit the "/etc/pam.d/common-auth" file. The "pam_tally2.so" entry must be placed at the top of the "auth" stack.

Add the following line before the first "auth" entry in the file:

auth required pam_tally2.so onerr=fail deny=3

Check Contents

Verify the Ubuntu operating system locks an account after three unsuccessful login attempts with following command:

$ grep pam_tally2 /etc/pam.d/common-auth

auth required pam_tally2.so onerr=fail deny=3

If no line is returned or the line is commented out, this is a finding.

If the line is missing "onerr=fail", this is a finding.

If the line has "deny" set to a value more than "3", this is a finding.

Vulnerability Number

V-238235

Documentable

False

Rule Version

UBTU-20-010072

Severity Override Guidance

Verify the Ubuntu operating system locks an account after three unsuccessful login attempts with following command:

$ grep pam_tally2 /etc/pam.d/common-auth

auth required pam_tally2.so onerr=fail deny=3

If no line is returned or the line is commented out, this is a finding.

If the line is missing "onerr=fail", this is a finding.

If the line has "deny" set to a value more than "3", this is a finding.

Check Content Reference

M

Target Key

5318

Comments