STIGQter: STIG Summary: Cisco IOS XE Switch NDM Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco switch must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.

DISA Rule

SV-220524r531084_rule

Vulnerability Number

V-220524

Group Title

SRG-APP-000065-NDM-000214

Rule Version

CISC-ND-000150

Severity

CAT II

CCI(s)

• CCI-000044 - The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

Weight

10

Fix Recommendation

Configure the Cisco switch to enforce the limit of three consecutive invalid logon attempts as shown in the example below:

SW2(config)#login block-for 900 attempts 3 within 120

Check Contents

Review the Cisco switch configuration to verify that it enforces the limit of three consecutive invalid logon attempts as shown in the example below:

login block-for 900 attempts 3 within 120

Note: The configuration example above will block any login attempt for 15 minutes after three consecutive invalid logon attempts within a two-minute period.

If the Cisco switch is not configured to enforce the limit of three consecutive invalid logon attempts, this is a finding.

Vulnerability Number

V-220524

Documentable

False

Rule Version

CISC-ND-000150

Severity Override Guidance

Review the Cisco switch configuration to verify that it enforces the limit of three consecutive invalid logon attempts as shown in the example below:

login block-for 900 attempts 3 within 120

Note: The configuration example above will block any login attempt for 15 minutes after three consecutive invalid logon attempts within a two-minute period.

If the Cisco switch is not configured to enforce the limit of three consecutive invalid logon attempts, this is a finding.

Check Content Reference

M

Target Key

4067

Comments