You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Rose (Jira)" <ji...@apache.org> on 2020/06/16 16:57:02 UTC

[jira] [Created] (NIFI-7538) Per STIG: Rule Title: The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.

David Rose created NIFI-7538:
--------------------------------

             Summary: Per STIG:  Rule Title: The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
                 Key: NIFI-7538
                 URL: https://issues.apache.org/jira/browse/NIFI-7538
             Project: Apache NiFi
          Issue Type: Improvement
          Components: Security
    Affects Versions: 1.9.2
         Environment: CentOS 7.7+
            Reporter: David Rose
             Fix For: 1.9.2


*The following is a Cat-1 STIGĀ  mitigation:*

*The following STIG for installation within the government space*

*Rule Title*{color:#000000}: The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.{color}


*Discussion*: By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced.

Limits are imposed by locking the account.

User notification when three failed logon attempts are exceeded is an operational consideration determined by the application owner. In some instances the operational situation may dictate that no notice is to be provided to the user when their account is locked. In other situations, the user may be notified their account is now locked. This decision is left to the application owner based upon their operational scenarios.


*Check Text*: All testing must be performed within a 15-minute window.

Log on to the application with a test user account.

Intentionally enter an incorrect user password or pin.

Repeat 2 times within 15 minutes for a total of three failed attempts.

Notification of a locked account may or may not be provided.

Using the correct user password or pin, attempt to logon a 4th time.

If the logon is successful upon the 4th attempt the account was not locked after the third failed attempt and this is a finding.


*Fix Text*: Configure the application to enforce an account lock after 3 failed logon attempts occurring within a 15-minute window.


*References*
----
*CCI*: CCI-000044: The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
NIST SP 800-53 :: AC-7 a
NIST SP 800-53A :: AC-7.1 (ii)
NIST SP 800-53 Revision 4 :: AC-7 a



--
This message was sent by Atlassian Jira
(v8.3.4#803005)