As identified by DISA FSO, the OCIL text did not check all locations as OVAL.
Signed-off-by: Shawn Wells <[email protected]> --- RHEL/6/input/system/accounts/pam.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml index aacab89..f8af660 100644 --- a/RHEL/6/input/system/accounts/pam.xml +++ b/RHEL/6/input/system/accounts/pam.xml @@ -478,8 +478,8 @@ Add the following <tt>fail_interval</tt> directives to <tt>pam_faillock.so</tt> </description> <ocil clause="that is not the case"> To ensure the failed password attempt policy is configured correctly, run the following command: -<pre># grep pam_faillock /etc/pam.d/system-auth</pre> -The output should show <tt>fail_interval=<interval-in-seconds></tt> where <tt>interval-in-seconds</tt> is 900 (15 minutes) or greater. If the <tt>fail_interval</tt> parameter is not set, the default setting of 900 seconds is acceptable. +<pre># grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth</pre> +For each file, the output should show <tt>fail_interval=<interval-in-seconds></tt> where <tt>interval-in-seconds</tt> is 900 (15 minutes) or greater. If the <tt>fail_interval</tt> parameter is not set, the default setting of 900 seconds is acceptable. </ocil> <rationale> Locking out user accounts after a number of incorrect attempts within a -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
