The system must disable accounts after three consecutive unsuccessful login attempts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-48245	SOL-11.1-040140	SV-61117r1_rule		Medium

Description
Allowing continued access to accounts on the system exposes them to brute-force password-guessing attacks.

STIG	Date
Solaris 11 X86 Security Technical Implementation Guide	2015-12-07

Details

Check Text ( C-50677r1_chk )
Verify RETRIES is set in the login file. # grep ^RETRIES /etc/default/login If the output is not RETRIES=3 or fewer, this is a finding. Verify the account locks after invalid login attempts. # grep ^LOCK_AFTER_RETRIES /etc/security/policy.conf If the output is not LOCK_AFTER_RETRIES=YES, this is a finding. For each user in the system, use the command: # userattr lock_after_retries [username] to determine if the user overrides the system value. If the output of this command is "no", this is a finding.

Check Text ( C-50677r1_chk )

Verify RETRIES is set in the login file.

# grep ^RETRIES /etc/default/login

If the output is not RETRIES=3 or fewer, this is a finding.

Verify the account locks after invalid login attempts.

# grep ^LOCK_AFTER_RETRIES /etc/security/policy.conf

If the output is not LOCK_AFTER_RETRIES=YES, this is a finding.

For each user in the system, use the command:

# userattr lock_after_retries [username]

to determine if the user overrides the system value. If the output of this command is "no", this is a finding.

Fix Text (F-51853r1_fix)
The root role is required. # pfedit /etc/default/login Change the line: #RETRIES=5 to read RETRIES=3 pfedit /etc/security/policy.conf Change the line containing #LOCK_AFTER_RETRIES to read: LOCK_AFTER_RETRIES=YES If a user has lock_after_retries set to "no", update the user's attributes using the command: # usermod -K lock_after_retries=yes [username]