AIX Security Expert Login Policy Recommendations group

AIX® Security Expert provides specific settings for login policy.

Note: To ensure better accountability of security-related activities that are performed by root, it is recommended that users first log in using their normal user ID and then run the su command to run commands as root, rather than logging in as root. The system can then associate different users to activities performed using the root account when multiple users know and use the root password.

Table 1. AIX Security Expert Login Policy Recommendations
Action button name	Description	Value set by AIX Security Expert	Undo
Interval between unsuccessful logins	Sets appropriate value to logininterval attribute of /etc/security/login.cfg, which specifies the time interval (in seconds) during which the unsuccessful login attempts for a port must occur before the port is disabled. For example, if logininterval is set to 60 and logindisable is set to 4, the account is disabled if there are four unsuccessful login attempts within one minute.	High Level Security 300 Medium Level Security 60 Low Level Security No effect AIX Standard Settings No limit	Yes
Number of login attempts before locking the account	Sets appropriate value to loginretries attribute of /etc/security/user, which specifies the number of consecutive login attempts per account before the account is disabled. Do not set on root.	High Level Security 3 Medium Level Security 4 Low Level Security 5 AIX Standard Settings No limit	Yes
Remote root login	Changes the value of rlogin attribute of /etc/security/user, which specifies whether remote login is allowed or not on the system for root account.	High Level Security False Medium Level Security False Low Level Security No effect AIX Standard Settings True	Yes
Re-enable login after locking	Sets appropriate value to loginreenable attribute of /etc/security/login.cfg, which specifies the time interval (in seconds) after which a port is unlocked after the port is disabled by logindisable.	High Level Security 360 Medium Level Security 30 Low Level Security No effect AIX Standard Settings No limit	Yes
Disable login after unsuccessful login attempts	Sets appropriate value to logindisable attribute of /etc/security/login.cfg, which specifies the number of unsuccessful login attempts on a port before the port is locked.	High Level Security 10 Medium Level Security 10 Low Level Security No effect AIX Standard Settings No limit	Yes
Login timeout	Sets appropriate value to logintimeout attribute of /etc/security/login.cfg, which specifies the time interval allowed to type in a password.	High Level Security 30 Medium Level Security 60 Low Level Security 60 AIX Standard Settings 60	Yes
Delay between unsuccessful logins	Sets appropriate value to logindelay attribute of /etc/security/login.cfg, which specifies the delay (in seconds) between unsuccessful logins. An additional delay period is added after each failed login. For example, if logindelay is set to 5, the terminal will wait five seconds after the first failed login until the next request. After a second failed login, the terminal will wait 10 seconds (25), and after a third failed login, the terminal will wait 15 seconds (35).	High Level Security 10 Medium Level Security 4 Low Level Security 5 AIX Standard Settings No limit	Yes
Local login	Changes the value of login attribute of /etc/security/user, which specifies whether console login is allowed or not on the system for root account.	High Level Security False Medium Level Security No effect Low Level Security No effect AIX Standard Settings True	Yes