Solution
Perform the following to implement the recommended state-
cd /etc/default
awk '/RETRIES=/ { $1 = 'RETRIES=3' } { print }' login >login.new
mv login.new login
pkgchk -f -n -p /etc/default/login
cd /etc/security
awk '/LOCK_AFTER_RETRIES=/ { $1 = 'LOCK_AFTER_RETRIES=YES' } { print }' policy.conf >policy.conf.new
mv policy.conf.new policy.conf
pkgchk -f -n -p /etc/security/policy.conf
Be careful when enabling these settings as they can create a denial-of-service situation for legitimate users and applications. Account lockout can be disabled for specific users via the usermod command. For example, the following command disables account lock specifically for the oracle account-
usermod -K lock_after_retries=no oracle
By default the root account is exempt from account lockout.