Check: GEN000460
AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE:
GEN000460
(in versions v1 r14 through v1 r10)
Title
The system must disable accounts after three consecutive unsuccessful login attempts. (Cat II impact)
Discussion
Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks.
Check Content
# /usr/sbin/lsuser -a loginretries ALL | more Check all active accounts on the system for the maximum number of tries before the system will lock the account. If a user has values set to 0 or greater then 3, this is a finding.
Fix Text
Use the chsec command to configure the number of unsuccessful logins resulting in account lockout. # chsec -f /etc/security/user -s default -a loginretries=3 # chsec -f /etc/security/user -s <user id> -a loginretries=3
Additional Identifiers
Rule ID: SV-38671r1_rule
Vulnerability ID: V-766
Group Title: GEN000460
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000044 |
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
Controls
Number | Title |
---|---|
AC-7 |
Unsuccessful Logon Attempts |