STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.

DISA Rule

SV-215171r508663_rule

Vulnerability Number

V-215171

Group Title

SRG-OS-000021-GPOS-00005

Rule Version

AIX7-00-001003

Severity

CAT II

CCI(s)

• CCI-000044 - The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
• CCI-002238 - The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

Weight

10

Fix Recommendation

From the command prompt, execute the following command to configure the number of unsuccessful logins resulting in account lockout for "default:" stanza in "/etc/security/user" file:
# chsec -f /etc/security/user -s default -a loginretries=3

From the command prompt, execute the following command to configure the number of unsuccessful logins resulting in account lockout for all users who have loginretries values that are 0 or greater than 3:
# chsec -f /etc/security/user -s [user_name] -a loginretries=3

Check Contents

From the command prompt, execute the following command to check the system default value for the maximum number of tries before the system will lock the account:
# lssec -f /etc/security/user -s default -a loginretries

The above command should yield the following output:
default loginretries=0

If the default value is "0" or greater than "3", this is a finding.

From the command prompt, execute the following command to check all active accounts on the system for the maximum number of tries before the system will lock the account:
# lsuser -a loginretries ALL | more

The above command should yield the following output:
root loginretries=3
user1 loginretries=2

If a user has values set to "0" or greater than "3", this is a finding.

Vulnerability Number

V-215171

Documentable

False

Rule Version

AIX7-00-001003

Severity Override Guidance

From the command prompt, execute the following command to check the system default value for the maximum number of tries before the system will lock the account:
# lssec -f /etc/security/user -s default -a loginretries

The above command should yield the following output:
default loginretries=0

If the default value is "0" or greater than "3", this is a finding.

From the command prompt, execute the following command to check all active accounts on the system for the maximum number of tries before the system will lock the account:
# lsuser -a loginretries ALL | more

The above command should yield the following output:
root loginretries=3
user1 loginretries=2

If a user has values set to "0" or greater than "3", this is a finding.

Check Content Reference

M

Target Key

4012

Comments