STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 6 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Solaris 11 SPARC Security Technical Implementation Guide

V-216334

CAT II (Medium)

The system must disable accounts after three consecutive unsuccessful login attempts.

Rule ID

SV-216334r958388_rule

STIG

Solaris 11 SPARC Security Technical Implementation Guide

Version

V3R5

CCIs

CCI-000044

Discussion

Allowing continued access to accounts on the system exposes them to brute-force password-guessing attacks.

Check Content

Verify RETRIES is set in the login file.

# grep ^RETRIES /etc/default/login

If the output is not RETRIES=3 or fewer, this is a finding.

Verify the account locks after invalid login attempts.

# grep ^LOCK_AFTER_RETRIES /etc/security/policy.conf

If the output is not LOCK_AFTER_RETRIES=YES, this is a finding.

For each user in the system, use the command:

# userattr lock_after_retries [username]

to determine if the user overrides the system value. If the output of this command is "no", this is a finding.

Fix Text

The root role is required.

# pfedit /etc/default/login

Change the line:

#RETRIES=5

to read

RETRIES=3 

pfedit /etc/security/policy.conf

Change the line containing

#LOCK_AFTER_RETRIES 

to read:

LOCK_AFTER_RETRIES=YES


If a user has lock_after_retries set to "no", update the user's attributes using the command:

# usermod -K lock_after_retries=yes [username]