InformationDefines the number of attempts a user has to login to the system before their account is disabled.
In setting the loginretries attribute, this ensures that a user can have a pre-defined number of attempts to get their password right, prior to locking the account.
The setting chosen here (5) is a group consensus as secure enough. However, a local site-policy may have a more strict requirement for all, or some systems.
While the audit and artifact currently test for exactly 5 - the actual recommendation is: greater than 0 (zero) AND (less than or equal to 5 (five) or greater than 0 (zero) AND not greater than 5 (five)
SolutionIn /etc/security/user, set the default stanza loginretries attribute to 5:
chsec -f /etc/security/user -s default -a loginretries=5
This means that a user will have 5 attempts to enter the correct password. This does not apply to the root user, which has its own stanza entry disabling this feature.