AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-215171 | AIX7-00-001003 | SV-215171r958388_rule | CCI-000044 | medium |
| Description | ||||
| By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128 | ||||
| STIG | Date | |||
| IBM AIX 7.x Security Technical Implementation Guide | 2024-08-16 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-7
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.8
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000044
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-215171r958388_chk)
From the command prompt, execute the following command to check the system default value for the maximum number of tries before the system will lock the account:
# lssec -f /etc/security/user -s default -a loginretries
The above command should yield the following output:
default loginretries=0
If the default value is "0" or greater than "3", this is a finding.
From the command prompt, execute the following command to check all active accounts on the system for the maximum number of tries before the system will lock the account:
# lsuser -a loginretries ALL | more
The above command should yield the following output:
root loginretries=3
user1 loginretries=2
If a user has values set to "0" or greater than "3", this is a finding.
Fix Text (F-16367r293965_fix)
From the command prompt, execute the following command to configure the number of unsuccessful logins resulting in account lockout for "default:" stanza in "/etc/security/user" file:
# chsec -f /etc/security/user -s default -a loginretries=3
From the command prompt, execute the following command to configure the number of unsuccessful logins resulting in account lockout for all users who have loginretries values that are 0 or greater than 3:
# chsec -f /etc/security/user -s [user_name] -a loginretries=3