UCF STIG Viewer Logo

The system must disable accounts after three consecutive unsuccessful login attempts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-766 GEN000460 SV-38671r1_rule ECLO-1 ECLO-2 Medium
Description
Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks.
STIG Date
AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE 2018-09-18

Details

Check Text ( C-36678r1_chk )
# /usr/sbin/lsuser -a loginretries ALL | more
Check all active accounts on the system for the maximum number of tries before the system will lock the account. If a user has values set to 0 or greater then 3, this is a finding.
Fix Text (F-31633r1_fix)
Use the chsec command to configure the number of unsuccessful logins resulting in account lockout.

# chsec -f /etc/security/user -s default -a loginretries=3
# chsec -f /etc/security/user -s -a loginretries=3