6.15 Set Retry Limit for Account Lockout - RETRIES = 3

Information

The RETRIES parameter is the number of failed login attempts a user is allowed before
being disconnected from the system and forced to reconnect. When LOCK_AFTER_RETRIES
is set in /etc/security/policy.conf, then the user's account is locked after this many
failed retries (the account can only be unlocked by the administrator using the command-
passwd -u <username>). The account lockout threshold (RETRIES parameter) restricts the
number of failed login attempts allowed before requiring the offending account be locked.
The lockout requirement will help block malicious users from gaining access to the host via
automated, repetitive brute-force login exploits--trying different passwords until one fits a
user name.

Setting the failed login limit to an appropriate value locks the user account, which will
severely limit the speed of such attacks, making it much more likely that the attacker's
pattern will be noticed and the offending source address and/or port blocked, so this
should be set according to the needs of the user.

Solution

Perform the following to implement the recommended state-# cd /etc/default
# awk '/RETRIES=/ { $1 = 'RETRIES=3' }
{ print }' login >login.CIS
# mv login.CIS login
# cd /etc/security
# awk '/LOCK_AFTER_RETRIES=/
{ $1 = 'LOCK_AFTER_RETRIES=YES' }
{ print }' policy.conf > policy.conf.CIS
# mv policy.conf.CIS policy.conf
# svcadm restart svc-/system/name-service/cacheBe careful when enabling these settings as they can create a denial-of-service situation for
legitimate users and applications. Account lockout can be disabled for specific users via the
usermod command. For example, the following command disables account lock specifically
for the oracle account-# usermod -K lock_after_retries=no oracleNote- The root role is configured in this manner by default to prevent accidental lock out.

See Also

https://workbench.cisecurity.org/files/616

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7a., CSCv6|16.7

Plugin: Unix

Control ID: 56a7a34bccb724300d5493525276112db651aafe1a13c4ddaa2e9c5526c0e708