Navigate

Check: GEN000460

IRIX 6.5: GEN000460 (in versions v1 r1 through v1 r0.6)

Title

The system must disable accounts after three consecutive unsuccessful login attempts. (Cat II impact)

Discussion

Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks.

Check Content

Verify MAXTRYS is set in the login file. # grep MAXTRYS /etc/default/login If MAXTRYS is not set or is more than 3, this is a finding. Verify the account locks after invalid login attempts. # grep LOCKOUT /etc/default/login If LOCKOUT is not set to YES, this is a finding.

Fix Text

Set MAXTRYS to 3 in the /etc/default/login file. Set LOCKOUT to 3 in the /etc/default/login file.

Additional Identifiers

Rule ID:

Vulnerability ID: V-766

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000044	The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-7	Unsuccessful Logon Attempts