ONTAP must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.

ONTAP must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246931	NAOT-AC-000010	SV-246931r769125_rule		Medium

Description
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.

STIG	Date
NetApp ONTAP DSC 9.x Security Technical Implementation Guide	2021-07-28

Details

Check Text ( C-50363r769123_chk )
Use "security login role config show -role admin -instance" to see the settings for "Maximum Number of Failed Attempts" and “Delay after Each Failed Login Attempt". If ONTAP is not configured to enforce a limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes, this is a finding.

Fix Text (F-50317r769124_fix)
For the each role, configure "security login role config modify -role -max-failed-login-attempts 3" and "security login role config modify -role admin -delay-after-failed-login 60".