A large financial company has run through their annual external security audits. One section of the audit report handles password security. The auditors request to change the system to allow account locking after three failed logins. They found that the account locking feature was already enabled, but the accounts are locked after five failed login attempts. There is a system default for the number of failed login attempts before the account is locked. Which is the correct place to set a new system-wide default?

A.
/etc/system

B.
/etc/user_attr

C.
/etc/default/login

D.
/etc/default/passwd

E.
/etc/security/policy.conf