An error occurred:

Check: GEN000460

Solaris 10 X86 STIG: GEN000460 (in versions v2 r4 through v1 r17)

Title

The system must disable accounts after three consecutive unsuccessful login attempts. (Cat II impact)

Discussion

Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks.

Check Content

Verify RETRIES is set in the login file. # grep RETRIES /etc/default/login If RETRIES is not set or is more than 3, this is a finding. Verify the account locks after invalid login attempts. # grep LOCK_AFTER_RETRIES /etc/security/policy.conf If LOCK_AFTER_RETRIES is not set to YES, this is a finding.

Fix Text

Set RETRIES to 3 in the /etc/default/login file. #vi /etc/default/login Set LOCK_AFTER_RETRIES to YES in the /etc/security/policy.conf file. #vi /etc/security/policy.conf

Additional Identifiers

Rule ID: SV-220074r603266_rule

Vulnerability ID: V-220074

Group Title: SRG-OS-000021

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000044

The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-7

Unsuccessful Logon Attempts