ONTAP must be configured to enforce the limit of three consecutive failed logon attempts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-246931 | NAOT-AC-000010 | SV-246931r877996_rule | Medium |
| Description |
|---|
| By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. |
| STIG | Date |
|---|---|
| NetApp ONTAP DSC 9.x Security Technical Implementation Guide | 2022-11-21 |
Details
| Check Text ( C-50363r877994_chk ) |
|---|
| Use the command "security login role config show" to get a list of roles. For each role, use the command "security login role config show -vserver If any role has "Maximum Number of Failed Attempts" not set to "3", this is a finding. Use "security login role config show -role admin -instance" to see the settings for "Maximum Number of Failed Attempts" and “Lockout Duration". Note: Lockout duration is set by default to lockout for one day or until unlocked by an administrator. It cannot be set to less than one day. If ONTAP is not configured to enforce a limit of three consecutive invalid logon attempts, this is a finding. |
| Fix Text (F-50317r877995_fix) |
|---|
| Use the command "security login role config show" to get a list of roles. For each role, use the command "security login role config show -vserver For any role that does not have "Maximum Number of Failed Attempts" set to "3", use the command "security login role config modify -role |