mediumaccess-controlverified ✓rollback-safe
Limit concurrent sessions to ten for all accounts
pam-maxlogins · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
The system must limit the number of concurrent sessions to ten for all accounts and account types using PAM limits.
Rationale
Limiting concurrent sessions reduces the risk of resource exhaustion and limits the damage from compromised accounts by preventing an attacker from opening many simultaneous sessions.
Check → Remediate
Checkcommand
grep -rE '^\*\s+hard\s+maxlogins\s+[0-9]+' /etc/security/limits.conf /etc/security/limits.d/ 2>/dev/null | \
awk '{print $NF}' | awk 'BEGIN{max=9999} {if ($1+0 < max) max=$1+0} END{if (max <= 10) exit 0; exit 1}'
- expected_exit:
- 0
Remediateconfig_set_dropin
- dir:
- /etc/security/limits.d
- file:
- 00-kensa-maxlogins.conf
- key:
- * hard maxlogins
- value:
- 10
Framework references
STIG
V-281203 / RHEL-10-600475V-258069 / RHEL-09-412040V-230346V-270677 / UBTU-24-200000V-260552 / UBTU-22-412020
NIST 800-53
AC-10
Live verification
rhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#pam#sessions#limits#access-control