← Rules Catalog
mediumaccess-controlverified rollback-safe

Limit concurrent sessions to ten for all accounts

pam-maxlogins · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl

Description

The system must limit the number of concurrent sessions to ten for all accounts and account types using PAM limits.

Rationale

Limiting concurrent sessions reduces the risk of resource exhaustion and limits the damage from compromised accounts by preventing an attacker from opening many simultaneous sessions.

Check → Remediate

Checkcommand
grep -rE '^\*\s+hard\s+maxlogins\s+[0-9]+' /etc/security/limits.conf /etc/security/limits.d/ 2>/dev/null | \
  awk '{print $NF}' | awk 'BEGIN{max=9999} {if ($1+0 < max) max=$1+0} END{if (max <= 10) exit 0; exit 1}'
expected_exit:
0
Remediateconfig_set_dropin
dir:
/etc/security/limits.d
file:
00-kensa-maxlogins.conf
key:
* hard maxlogins
value:
10

Framework references

STIG

V-281203 / RHEL-10-600475V-258069 / RHEL-09-412040V-230346V-270677 / UBTU-24-200000V-260552 / UBTU-22-412020

NIST 800-53

AC-10

Live verification

rhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#pam#sessions#limits#access-control