SRV-127 계정 잠금 임계값 설정 미비

SRV-127 계정 잠금 임계값 설정 미비

【 상세설명 】
계정 비밀번호에 대한 무작위 대입 공격으로 비인가자가 계정 정보를 탈취할 위협이 존재하므로 로그인 입력 횟수 제한 등의 임계값 설정 여부를 점검

【 판단기준 】
  [Linux]
    - 양호 : /etc/pam.d/password-auth, /etc/pam.d/system-auth, /etc/security/faillock.conf 파일에 계정 잠금 임계값 설정이 존재하는 경우
    - 취약 : /etc/pam.d/password-auth, /etc/pam.d/system-auth, /etc/security/faillock.conf 파일에 계정 잠금 임계값 설정이 존재하지 않는 경우

  [AIX]
    - 양호 : loginretries가 설정 되어 있을 경우
    - 취약 : loginretries가 설정 되어 있지 않을 경우 (단, root 제외)

  [HP-UX]
    - 양호 : u_maxtries(Trusted Mode) 또는 AUTH_MAXTRIES(Non Trusted Mode)가 설정되어 있을 경우
    - 취약 : u_maxtries(Trusted Mode) 또는 AUTH_MAXTRIES(Non Trusted Mode)가 설정되어 있지 않을 경우

  [SOLARIS]
    - 양호 : /etc/security/policy.conf 파일과 /etc/default/login 파일에 계정 잠금 임계값 설정이 존재하는 경우
    - 취약 : /etc/security/policy.conf 파일과 /etc/default/login 파일에 계정 잠금 임계값 설정이 존재하지 않는 경우

【 판단방법 】
  ■ Linux
  1. 계정 잠금 임계값 설정 확인
      [Debian 계열]
          # cat /etc/pam.d/common-auth
              auth        [success=1 default=ignore] pam_unix.so nullok
              auth        requisite        pam_deny.so
              auth        required         pam_env.so
              ...

      [RHEL 6]
          # cat /etc/pam.d/system-auth
          # cat /etc/pam.d/password-auth
              auth        required      pam_env.so
              auth        sufficient    pam_unix.so nullok try_first_pass
              ...

      [RHEL 7]
          # cat /etc/pam.d/system-auth
          # cat /etc/pam.d/password-auth
              auth        required      pam_env.so
              auth        required      pam_faildelay.so delay=2000000
              auth        sufficient    pam_unix.so nullok try_first_pass
              ...

      [RHEL 8, 9]
          # cat /etc/pam.d/system-auth
          # cat /etc/pam.d/password-auth
              auth        required      pam_env.so
              auth        sufficient    pam_unix.so try_first_pass nullok
              ...

      ※ 각 서비스 파일에 include 된 정책에 따라 PAM 모듈 설정 적용
      ※ 설정 미적용 시 계정 관리 솔루션 등 사용으로 include 된 정책이 변경되어 있거나 주석 처리 여부 확인 후 include 된 정책이나 계정 관리 솔루션 등에서 정책 적용 필요
          - /etc/pam.d/passwd, /etc/pam.d/su, /etc/pam.d/login : (default) include system-auth
          - /etc/pam.d/sshd, /etc/pam.d/remote : (default) include password-auth

      [RHEL 8.2 이상, 9] : faillock 설정 파일 계정 잠금 임계값 확인
          # vi /etc/security/faillock.conf
              # audit
              # silent
              # deny = 3
              # unlock_time = 600

      ※ RHEL 8.2 이상 버전은 pam_faillock.so 라이브러리 사용 시 faillock.conf 파일로 계정 잠금 임계값 정책 설정 가능

  ■ AIX
  1. 계정 잠금 임계값 설정 확인
          # cat /etc/security/user
          default:
              loginretries = 0
              ...
          root:
              loginretries = 5
              ...

  ※ default 설정 보다 각 계정별 정책 우선 적용(예시 기준 root 계정은 loginretries = 5 설정 적용)

  ■ HP-UX
  1. 계정 잠금 임계값 설정 확인
          # cat /etc/default/security | grep AUTH_MAXTRIES
              AUTH_MAXTRIES=10

  2. (Trust Mode 인 경우) Trust Mode 여부 확인
          # /usr/lbin/getprdef -r
              System is not trusted.

  3. (Trust Mode 인 경우) Trust Mode 설정 파일에서 u_maxtries 값 설정 확인
          # cat /tcb/files/auth/system/default | grep u_maxtries
          # cat /usr/newconfig/tcb/files/auth/system/default | grep u_maxtries
              :u_suclog#0:u_unsuclog#0:u_maxtries#3:u_lock:\

  ※ HP-UX Trust Mode 관련
      - HP-UX 11.2 버전 이하에서는 Trusted Mode 가 아닌 경우 계정 잠금 임계 값 설정 불가능
      - HP-UX 11.3 버전 이상, Security 버전에서는 "/etc/default/security" 에서 계정 잠금 임계 값 설정 가능
      - HP-UX 를 일반 모드에서 Trusted Mode 로 변경하는 경우 파일 시스템 등이 변경되므로 정보시스템 운영 환경 및 영향도 고려하여 적용 필요

  ■ SOLARIS 9 이하
  1. 계정 잠금 임계값 설정 확인
          # cat /etc/default/login | grep RETRIES
              #RETRIES=5

  ■ SOLARIS 10, 11
  1. 계정 잠금 정책 사용 설정 확인
          # cat /etc/security/policy.conf | grep LOCK_AFTER_RETRIES
              #LOCK_AFTER_RETRIES=YES

  2. 계정 잠금 임계값 설정 확인
          # cat /etc/default/login | grep RETRIES
              #RETRIES=5

【 조치방법 】
  1. 계정 잠금 임계값 설정

  2024-01-13 : (조치과정 삭제)