'TCAT-AS-001040 - LockOutRealms lockOutTime attribute must be set to 600 seconds (10 minutes) for admin users.' (Vuln ID: V-222982)

book

Article ID: 224403

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

STIG Finding:

From the Tomcat server console as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

sudo nano $CATALINA_BASE/conf/server.xml file

Locate or add the LockOutRealm element. Set lockOutTime="600"

EXAMPLE:
      <Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="5" lockOutTime="600">
...
</Realm>

A LockOutRealm adds the ability to specify a lockout time that prevents further attempts after multiple failed logins. Setting the lockOutTime attribute to 600 will lock out a user account for 10 minutes. Further authentication failures during the lock out time will cause the lock out timer to reset to zero, effectively extending the lockout time. Valid authentication attempts during the lockout period will not succeed but will also not reset the lockout time.

LockOutRealm is an implementation of the Tomcat Realm interface that extends the CombinedRealm to provide user lock out functionality if there are too many failed authentication attempts in a given period of time. A LockOutRealm is created by wrapping around a standard realm such as a JNDI Directory Realm which connects Tomcat to an LDAP Directory. 

A Catalina container (Engine, Host, or Context) may contain no more than one Realm element (although this one Realm may itself contain multiple nested Realms). In addition, the Realm associated with an Engine or a Host is automatically inherited by lower-level containers unless the lower level container explicitly defines its own Realm. If no Realm is configured for the Engine, an instance of the Null Realm will be configured for the Engine automatically.

 

Environment

Release : 21.2

 

Resolution

This has been implemented in NetOps 21.2.1+ (which is a GA release)

The slight difference between the 21.2.1 implementation and the STIG rules is that Spectrum performs the
authentication and not tomcat. This was implemented in a 'SpectrumLockOutRealm' and the settings
are in the $SPECROOT/tomcat/webapps/spectrum/META-INF/context.xml

 

Whereas the STIG references LockOutRealms in the server.xml.

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/21-2/release-information/features-and-enhancements.html

From the current release, you can lockout a user after five (default) continuous failed attempts to log in to the application using DX NetOps Spectrum login page. After the fifth continuous failed attempt to log in, you cannot log in for the next 600 seconds or ten minutes.

Further log in attempt during the lockout period extends the lockout period. Any successful attempt during the lockout period does not grant you access but does not extend the lockout period too.

Attachments