AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-91219	AIX7-00-001003	SV-101319r1_rule		Medium

Description
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128

STIG	Date
IBM AIX 7.x Security Technical Implementation Guide	2020-02-24

Details

Check Text ( C-90375r1_chk )
From the command prompt, execute the following command to check the system default value for the maximum number of tries before the system will lock the account: # lssec -f /etc/security/user -s default -a loginretries The above command should yield the following output: default loginretries=0 If the default value is "0" or greater than "3", this is a finding. From the command prompt, execute the following command to check all active accounts on the system for the maximum number of tries before the system will lock the account: # lsuser -a loginretries ALL \| more The above command should yield the following output: root loginretries=3 user1 loginretries=2 If a user has values set to "0" or greater than "3", this is a finding.

Check Text ( C-90375r1_chk )

From the command prompt, execute the following command to check the system default value for the maximum number of tries before the system will lock the account:
# lssec -f /etc/security/user -s default -a loginretries

The above command should yield the following output:
default loginretries=0

If the default value is "0" or greater than "3", this is a finding.

From the command prompt, execute the following command to check all active accounts on the system for the maximum number of tries before the system will lock the account:
# lsuser -a loginretries ALL | more

The above command should yield the following output:
root loginretries=3
user1 loginretries=2

If a user has values set to "0" or greater than "3", this is a finding.

Fix Text (F-97419r1_fix)
From the command prompt, execute the following command to configure the number of unsuccessful logins resulting in account lockout for "default:" stanza in "/etc/security/user" file: # chsec -f /etc/security/user -s default -a loginretries=3 From the command prompt, execute the following command to configure the number of unsuccessful logins resulting in account lockout for all users who have loginretries values that are 0 or greater than 3: # chsec -f /etc/security/user -s [user_name] -a loginretries=3

Fix Text (F-97419r1_fix)

From the command prompt, execute the following command to configure the number of unsuccessful logins resulting in account lockout for "default:" stanza in "/etc/security/user" file:
# chsec -f /etc/security/user -s default -a loginretries=3

From the command prompt, execute the following command to configure the number of unsuccessful logins resulting in account lockout for all users who have loginretries values that are 0 or greater than 3:
# chsec -f /etc/security/user -s [user_name] -a loginretries=3