STIGQter STIGQter: STIG Summary: Solaris 11 SPARC Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The system must disable accounts after three consecutive unsuccessful login attempts.

DISA Rule

SV-216334r603267_rule

Vulnerability Number

V-216334

Group Title

SRG-OS-000021

Rule Version

SOL-11.1-040140

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The root role is required.

# pfedit /etc/default/login

Change the line:

#RETRIES=5

to read

RETRIES=3

pfedit /etc/security/policy.conf

Change the line containing

#LOCK_AFTER_RETRIES

to read:

LOCK_AFTER_RETRIES=YES


If a user has lock_after_retries set to "no", update the user's attributes using the command:

# usermod -K lock_after_retries=yes [username]

Check Contents

Verify RETRIES is set in the login file.

# grep ^RETRIES /etc/default/login

If the output is not RETRIES=3 or fewer, this is a finding.

Verify the account locks after invalid login attempts.

# grep ^LOCK_AFTER_RETRIES /etc/security/policy.conf

If the output is not LOCK_AFTER_RETRIES=YES, this is a finding.

For each user in the system, use the command:

# userattr lock_after_retries [username]

to determine if the user overrides the system value. If the output of this command is "no", this is a finding.

Vulnerability Number

V-216334

Documentable

False

Rule Version

SOL-11.1-040140

Severity Override Guidance

Verify RETRIES is set in the login file.

# grep ^RETRIES /etc/default/login

If the output is not RETRIES=3 or fewer, this is a finding.

Verify the account locks after invalid login attempts.

# grep ^LOCK_AFTER_RETRIES /etc/security/policy.conf

If the output is not LOCK_AFTER_RETRIES=YES, this is a finding.

For each user in the system, use the command:

# userattr lock_after_retries [username]

to determine if the user overrides the system value. If the output of this command is "no", this is a finding.

Check Content Reference

M

Target Key

4022

Comments