[jira] [Created] (NIFI-7538) Per STIG: Rule Title: The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.

[David Rose (Jira)]

David Rose created NIFI-7538:
--------------------------------

             Summary: Per STIG:  Rule Title: The application must enforce the 
limit of three consecutive invalid logon attempts by a user during a 15 minute 
time period.
                 Key: NIFI-7538
                 URL: https://issues.apache.org/jira/browse/NIFI-7538
             Project: Apache NiFi
          Issue Type: Improvement
          Components: Security
    Affects Versions: 1.9.2
         Environment: CentOS 7.7+
            Reporter: David Rose
             Fix For: 1.9.2


*The following is a Cat-1 STIG  mitigation:*

*The following STIG for installation within the government space*

*Rule Title*{color:#000000}: The application must enforce the limit of three 
consecutive invalid logon attempts by a user during a 15 minute time 
period.{color}


*Discussion*: By limiting the number of failed logon attempts, the risk of 
unauthorized system access via user password guessing, otherwise known as brute 
forcing, is reduced.

Limits are imposed by locking the account.

User notification when three failed logon attempts are exceeded is an 
operational consideration determined by the application owner. In some 
instances the operational situation may dictate that no notice is to be 
provided to the user when their account is locked. In other situations, the 
user may be notified their account is now locked. This decision is left to the 
application owner based upon their operational scenarios.


*Check Text*: All testing must be performed within a 15-minute window.

Log on to the application with a test user account.

Intentionally enter an incorrect user password or pin.

Repeat 2 times within 15 minutes for a total of three failed attempts.

Notification of a locked account may or may not be provided.

Using the correct user password or pin, attempt to logon a 4th time.

If the logon is successful upon the 4th attempt the account was not locked 
after the third failed attempt and this is a finding.


*Fix Text*: Configure the application to enforce an account lock after 3 failed 
logon attempts occurring within a 15-minute window.


*References*
----
*CCI*: CCI-000044: The information system enforces the organization-defined 
limit of consecutive invalid logon attempts by a user during the 
organization-defined time period.
NIST SP 800-53 :: AC-7 a
NIST SP 800-53A :: AC-7.1 (ii)
NIST SP 800-53 Revision 4 :: AC-7 a



--
This message was sent by Atlassian Jira
(v8.3.4#803005)