UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.


Overview

Finding ID Version Rule ID IA Controls Severity
V-215171 AIX7-00-001003 SV-215171r853451_rule Medium
Description
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
STIG Date
IBM AIX 7.x Security Technical Implementation Guide 2023-02-13

Details

Check Text ( C-16369r293964_chk )
From the command prompt, execute the following command to check the system default value for the maximum number of tries before the system will lock the account:
# lssec -f /etc/security/user -s default -a loginretries

The above command should yield the following output:
default loginretries=0

If the default value is "0" or greater than "3", this is a finding.

From the command prompt, execute the following command to check all active accounts on the system for the maximum number of tries before the system will lock the account:
# lsuser -a loginretries ALL | more

The above command should yield the following output:
root loginretries=3
user1 loginretries=2

If a user has values set to "0" or greater than "3", this is a finding.
Fix Text (F-16367r293965_fix)
From the command prompt, execute the following command to configure the number of unsuccessful logins resulting in account lockout for "default:" stanza in "/etc/security/user" file:
# chsec -f /etc/security/user -s default -a loginretries=3

From the command prompt, execute the following command to configure the number of unsuccessful logins resulting in account lockout for all users who have loginretries values that are 0 or greater than 3:
# chsec -f /etc/security/user -s [user_name] -a loginretries=3