STIGQter: STIG Summary: Cisco NX-OS Switch NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.

DISA Rule

SV-220480r663921_rule

Vulnerability Number

V-220480

Group Title

SRG-APP-000065-NDM-000214

Rule Version

CISC-ND-000150

Severity

CAT II

CCI(s)

• CCI-000044 - The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

Weight

10

Fix Recommendation

Configure the Cisco switch to enforce the limit of three consecutive invalid logon attempts as shown in the example below:

SW2(config)# login block-for 900 attempts 3 within 120

Check Contents

Review the Cisco switch configuration to verify that it enforces the limit of three consecutive invalid logon attempts as shown in the example below:

login block-for 900 attempts 3 within 120

Note: The configuration example above will block any login attempt for 15 minutes after three consecutive invalid logon attempts within a two-minute period.

If the Cisco switch is not configured to enforce the limit of three consecutive invalid logon attempts, this is a finding.

Vulnerability Number

V-220480

Documentable

False

Rule Version

CISC-ND-000150

Severity Override Guidance

Review the Cisco switch configuration to verify that it enforces the limit of three consecutive invalid logon attempts as shown in the example below:

login block-for 900 attempts 3 within 120

Note: The configuration example above will block any login attempt for 15 minutes after three consecutive invalid logon attempts within a two-minute period.

If the Cisco switch is not configured to enforce the limit of three consecutive invalid logon attempts, this is a finding.

Check Content Reference

M

Target Key

4066

Comments