The system must disable accounts after three consecutive unsuccessful login attempts.

An XCCDF Rule

Description

<VulnDiscussion>Allowing continued access to accounts on the system exposes them to brute-force password-guessing attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-216099r958388_rule
Severity: Medium
References: CCI-000044
Updated: 17 days ago

The root role is required.

# pfedit /etc/default/login

Change the line:
#RETRIES=5

to read

RETRIES=3 

pfedit /etc/security/policy.conf

Change the line containing

#LOCK_AFTER_RETRIES 

to read:

LOCK_AFTER_RETRIES=YES


If a user has lock_after_retries set to "no", update the user's attributes using the command:

# usermod -K lock_after_retries=yes [username]

The system must disable accounts after three consecutive unsuccessful login attempts.

Description

Remediation - Manual Procedure