3.1.2.3 loginretries

Information

Defines the number of attempts a user has to login to the system before their account is disabled.

Rationale:

In setting the loginretries attribute, this ensures that a user can have a pre-defined number of attempts to get their password right, prior to locking the account.

Impact:

The setting chosen here (5) is a group consensus as secure enough. However, a local site-policy may have a more strict requirement for all, or some systems.

While the audit and artifact currently test for exactly 5 - the actual recommendation is: greater than 0 (zero) AND (less than or equal to 5 (five) or greater than 0 (zero) AND not greater than 5 (five)

Solution

In /etc/security/user, set the default stanza loginretries attribute to 5:

chsec -f /etc/security/user -s default -a loginretries=5

This means that a user will have 5 attempts to enter the correct password. This does not apply to the root user, which has its own stanza entry disabling this feature.

Default Value:

No limit

See Also

https://workbench.cisecurity.org/files/3525

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7, 800-53|AC-19, CSCv7|16.11

Plugin: Unix

Control ID: 10e8bca4f3ff05b10ee08b7ab3ba80adb38caf104fca75f95f9441c25fe366c4