The system must disable accounts after three consecutive unsuccessful login attempts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-766 | GEN000460 | SV-38445r1_rule | ECLO-1 ECLO-2 | Medium |
| Description |
|---|
| Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks. |
| STIG | Date |
|---|---|
| HP-UX 11.31 Security Technical Implementation Guide | 2013-03-28 |
Details
| Check Text ( C-36249r1_chk ) |
|---|
| Check the u_maxtries setting. # more /tcb/files/auth/system/default Look for the value of the u_maxtries variable in the file. This will give you the maximum number of tries before the system will lock the account. If this value is 0 or greater than 3, this is a finding. |
| Fix Text (F-31506r1_fix) |
|---|
| SMH is installed with defaults. Modify the env variables and tag values using the HP-SMH. Locate and set the number of login tries to 3. |