UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must disable accounts after three consecutive unsuccessful login attempts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-216099 SOL-11.1-040140 SV-216099r603268_rule Medium
Description
Allowing continued access to accounts on the system exposes them to brute-force password-guessing attacks.
STIG Date
Solaris 11 x86 Security Technical Implementation Guide 2024-02-02

Details

Check Text ( C-17337r372679_chk )
Verify RETRIES is set in the login file.

# grep ^RETRIES /etc/default/login

If the output is not RETRIES=3 or fewer, this is a finding.

Verify the account locks after invalid login attempts.

# grep ^LOCK_AFTER_RETRIES /etc/security/policy.conf

If the output is not LOCK_AFTER_RETRIES=YES, this is a finding.

For each user in the system, use the command:

# userattr lock_after_retries [username]

to determine if the user overrides the system value. If the output of this command is "no", this is a finding.
Fix Text (F-17335r372680_fix)
The root role is required.

# pfedit /etc/default/login

Change the line:

#RETRIES=5

to read

RETRIES=3

pfedit /etc/security/policy.conf

Change the line containing

#LOCK_AFTER_RETRIES

to read:

LOCK_AFTER_RETRIES=YES


If a user has lock_after_retries set to "no", update the user's attributes using the command:

# usermod -K lock_after_retries=yes [username]