Use this procedure to lock regular user accounts after a certain number of failed login attempts.
Before You Begin
Do not set this protection system-wide on a system that you use for administrative activities. Rather, monitor the administrative system for unusual use and keep it available for administrators.
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
Choose the scope of the attribute value.
This protection applies to any user who attempts to use the system.
# pfedit /etc/security/policy.conf ... #LOCK_AFTER_RETRIES=NO LOCK_AFTER_RETRIES=YES ...
This protection applies only to the user for whom you run this command. If you have many users, this is not a scalable solution.
# usermod -K lock_after_retries=yes username
This protection applies to any user or system where you assign this rights profile.
# profiles -p shared-profile -S ldap shared-profile: set lock_after_retries=yes ...
For more information on creating rights profiles, see Creating Rights Profiles and Authorizations in Securing Users and Processes in Oracle Solaris 11.2 .
If you have many users that share a rights profile, setting this value in a rights profile can be a scalable solution.
# usermod -P shared-profile username
You can also assign the profile per system in the policy.conf file.
# pfedit /etc/security/policy.conf ... #PROFS_GRANTED=Basic Solaris User PROFS_GRANTED=shared-profile,Basic Solaris User
Choose the scope of the attribute value.
# pfedit /etc/default/login ... #RETRIES=5 RETRIES=3 ...
# usermod -K lock_after_retries=3 username
Follow the steps in Step 4 and to create a rights profile that includes lock_after_retries=3.
See also
For a discussion of user and role security attributes, see Chapter 8, Reference for Oracle Solaris Rights, in Securing Users and Processes in Oracle Solaris 11.2 .
Selected man pages include policy.conf(4), profiles(1), user_attr(4), and usermod(1M).