Rule ID
SV-279546r1192554_rule
Version
V1R1
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
Verify accounts are locked for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes. 1. For AOS OS, Prism Central OS and Files OS, enter the following commands. Verify the deny option is set to "3" or less (but not "0") and the "fail_interval" option is not set to "900" or more. $ sudo grep -i deny /etc/security/faillock.conf deny = 3 even_deny_root $ sudo grep -i fail_interval /etc/security/faillock.conf fail_interval = 900 2. For AHV OS, verify by entering the following commands for pam.d. $ sudo grep pam_faillock.so /etc/pam.d/password-auth auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=900 root_unlock_time=900 fail_interval=900 auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=900 root_unlock_time=900 fail_interval=900 3. Verify the following settings are explicitly configured. - The "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module. - The "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module. - The "fail_interval" parameter is set to "0" or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module. - The "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module. - Any line referencing the "pam_faillock.so" module is commented out. $ sudo grep pam_faillock.so /etc/pam.d/system-auth auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 account required pam_faillock.so 4. Verify the following settings are explicitly set. - The "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module. - The "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module. - The "fail_interval" parameter is set to "0" or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module. - The "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module. - Any line referencing the "pam_faillock.so" module is commented out. If all required configuration settings are not met or if any settings are missing, this is a finding.
Configure Nutanix OS to use complex password. 1. For AOS, enter the following command. $ sudo salt-call state.sls security/CVM/pamCVM.sls 2. For Prism Central, enter the following command. $ sudo salt-call state.sls security/PCVM/pamPCVM.sls 3. For Files, enter the following command. $ sudo salt-call state.sls security/AFS/pamAFS.sls 4. For AHV OS CVM, enter the following command. $ ncli cluster edit-hypervisor-security-params enable-high-strength-password=true