{"description": "Limiting the number of allowed users and sessions per user can limit risks related to Denial of\nService attacks. This addresses concurrent sessions for a single account and does not address\nconcurrent sessions by a single user via multiple accounts. To set the number of concurrent\nsessions per user add the following line in <tt>/etc/security/limits.conf</tt> or\na file under <tt>/etc/security/limits.d/</tt>:\n<pre>* hard maxlogins <sub idref=\"var_accounts_max_concurrent_login_sessions\" /></pre>", "rationale": "Limiting simultaneous user logins can insulate the system from denial of service\nproblems caused by excessive logins. Automated login processes operating improperly or\nmaliciously may result in an exceptional number of simultaneous login sessions.", "severity": "low", "references": {"cis-csc": ["14", "15", "18", "9"], "cjis": ["5.5.2.2"], "cobit5": ["DSS01.05", "DSS05.02"], "isa-62443-2009": ["4.3.3.4"], "isa-62443-2013": ["SR 3.1", "SR 3.8"], "iso27001-2013": ["A.13.1.1", "A.13.1.3", "A.13.2.1", "A.14.1.2", "A.14.1.3"], "nerc-cip": ["CIP-007-3 R5.1", "CIP-007-3 R5.1.2"], "nist": ["AC-10", "CM-6(a)"], "nist-csf": ["PR.AC-5"], "srg": ["SRG-OS-000027-GPOS-00008"], "stigid": ["UBTU-22-412020"], "stigref": ["SV-260552r958398_rule"]}, "control_references": {"stigid": ["UBTU-22-412020"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"maxlogins\" item is missing, commented out, or the value is set greater\nthan \"<sub idref=\"var_accounts_max_concurrent_login_sessions\" />\" and\nis not documented with the Information System Security Officer (ISSO) as an\noperational requirement for all domains that have the \"maxlogins\" item\nassigned'", "ocil": "Verify Ubuntu 22.04 limits the number of concurrent sessions to\n\"<sub idref=\"var_accounts_max_concurrent_login_sessions\" />\" for all\naccounts and/or account types with the following command:\n<pre>$ grep -r -s maxlogins /etc/security/limits.conf /etc/security/limits.d/*.conf</pre>\n<pre>/etc/security/limits.conf:* hard maxlogins 10</pre>\nThis can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to limit the number of concurrent sessions to\n\"<sub idref=\"var_accounts_max_concurrent_login_sessions\" />\" for all\naccounts and/or account types.\nAdd the following line to the top of the /etc/security/limits.conf or in a\n\".conf\" file defined in /etc/security/limits.d/ :\n<pre>* hard maxlogins 10</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must limit the number of concurrent sessions to ten for all accounts and/or account types.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must limit the number of concurrent sessions to ten for all accounts and/or account types.", "vuldiscussion": "Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.", "checktext": "Verify Ubuntu 22.04 limits the number of concurrent sessions to \"10\" for all accounts and/or account types with the following command:\n\n$ grep -r -s maxlogins /etc/security/limits.conf /etc/security/limits.d/*.conf\n\n/etc/security/limits.conf:* hard maxlogins 10\n\nThis can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.\n\nIf the \"maxlogins\" item is missing, commented out, or the value is set greater than \"10\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the \"maxlogins\" item assigned, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to limit the number of concurrent sessions to \"10\" for all accounts and/or account types.\n\nAdd the following line to the top of the /etc/security/limits.conf or in a \".conf\" file defined in /etc/security/limits.d/ :\n\n* hard maxlogins 10"}}, "platform": "package[pam] and system_with_kernel", "platforms": ["package[pam] and system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_pam_and_system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Limit the Number of Concurrent Login Sessions Allowed Per User", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml", "template": null}