← Back to NetApp ONTAP DSC 9.x Security Technical Implementation Guide

V-246931

CAT II (Medium)

ONTAP must be configured to enforce the limit of three consecutive failed logon attempts.

Rule ID

SV-246931r960840_rule

STIG

NetApp ONTAP DSC 9.x Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000044

Discussion

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.

Check Content

Use the command "security login role config show" to get a list of roles.

For each role, use the command "security login role config show -vserver <vserver_name> -role <role_name>" to view the password requirements for each role. 

If any role has "Maximum Number of Failed Attempts" not set to "3", this is a finding.

Use "security login role config show -role admin -instance" to see the settings for "Maximum Number of Failed Attempts" and “Lockout Duration".

Note: Lockout duration is set by default to lockout for one day or until unlocked by an administrator. It cannot be set to less than one day.

If ONTAP is not configured to enforce a limit of three consecutive invalid logon attempts, this is a finding.

Fix Text

Use the command "security login role config show" to get a list of roles.

For each role, use the command "security login role config show -vserver <vserver_name> -role <role_name>" to view the password requirements for each role. 

For any role that does not have "Maximum Number of Failed Attempts" set to "3", use the command "security login role config modify -role <role_name> -vserver <vserver_name>  -max-failed-login-attempts 3".