2.2.11 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter determines how many failed login attempts are allowed before Oracle closes the login connection.

Rationale:

Allowing an unlimited number of login attempts for a user connection can facilitate both brute-force login attacks and the occurrence of denial-of-service.

Solution

To remediate this setting, execute the following SQL statement.

ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 3 SCOPE = SPFILE;

See Also

https://workbench.cisecurity.org/files/2868