The system must disable accounts after three consecutive unsuccessful logon attempts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-766	GEN000460	SV-38445r3_rule		Medium

Description
Disabling accounts after a limited number of unsuccessful logon attempts improves protection against password guessing attacks.

STIG	Date
HP-UX 11.31 Security Technical Implementation Guide	2018-09-14

Details

Check Text ( C-36249r4_chk )
For Trusted Mode: The u_maxtries attribute in the /tcb/files/auth/system/default file controls whether an account is locked after too many consecutive authentication failures. An account is locked after “N” consecutive authentication failures. Check the global setting for “u_maxtries” is set to “N=3”. # grep u_maxtries /tcb/files/auth/system/default If the “u_maxtries” attribute is not set to “3”, this is a finding. For SMSE: The AUTH_MAXTRIES attribute in the /etc/default/security configuration file controls whether an account is locked after too many consecutive authentication failures. An account is locked after N+1 consecutive authentication failures. Check the setting for “AUTH_MAXTRIES” attribute is set to “N=2”. # userdbget -a AUTH_MAXTRIES If the attribute “AUTH_MAXTRIES” is not set to “2”, this is a finding.

Check Text ( C-36249r4_chk )

For Trusted Mode:
The u_maxtries attribute in the /tcb/files/auth/system/default file controls whether an account is locked after too many consecutive authentication failures. An account is locked after “N” consecutive authentication failures.

Check the global setting for “u_maxtries” is set to “N=3”.

# grep u_maxtries /tcb/files/auth/system/default

If the “u_maxtries” attribute is not set to “3”, this is a finding.

For SMSE:
The AUTH_MAXTRIES attribute in the /etc/default/security configuration file controls whether an account is locked after too many consecutive authentication failures. An account is locked after N+1 consecutive authentication failures.

Check the setting for “AUTH_MAXTRIES” attribute is set to “N=2”.

# userdbget -a AUTH_MAXTRIES

If the attribute “AUTH_MAXTRIES” is not set to “2”, this is a finding.

Fix Text (F-31506r3_fix)
For Trusted Mode: Use the SAM/SMH interface or edit the /tcb/files/auth/system/default file and update the u_maxtries attribute. See the below example: :u_maxtries#3: If manually editing the file, save any change(s) before exiting the editor. For SMSE: Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file. Use the SAM/SMH interface (/etc/default/security file) and/or the userdbset command (/var/adm/userdb/* files) to update the attribute. See the below example: AUTH_MAXTRIES=2 Note: Never use a text editor to modify any /var/adm/userdb database file. The database contains checksums and other binary data, and editors (vi included) do not follow the file locking conventions that are used to control access to the database. If manually editing the /etc/default/security file, save any change(s) before exiting the editor.

Fix Text (F-31506r3_fix)

For Trusted Mode:
Use the SAM/SMH interface or edit the /tcb/files/auth/system/default file and update the u_maxtries attribute. See the below example:

:u_maxtries#3:

If manually editing the file, save any change(s) before exiting the editor.

For SMSE:
Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file.

Use the SAM/SMH interface (/etc/default/security file) and/or the userdbset command (/var/adm/userdb/* files) to update the attribute. See the below example:

AUTH_MAXTRIES=2

Note: Never use a text editor to modify any /var/adm/userdb database file. The database contains checksums and other binary data, and editors (vi included) do not follow the file locking conventions that are used to control access to the database.

If manually editing the /etc/default/security file, save any change(s) before exiting the editor.