The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-225132 | AOSX-15-000021 | SV-225132r610901_rule | Medium |
| Description |
|---|
| Setting a lockout time period of 15 minutes is an effective deterrent against brute forcing that also makes allowances for legitimate mistakes by users. When three invalid logon attempts are made, the account will be locked. |
| STIG | Date |
|---|---|
| Apple OS X 10.15 (Catalina) Security Technical Implementation Guide | 2022-06-06 |
Details
| Check Text ( C-26831r467564_chk ) |
|---|
| Password policy is set with the Passcode Policy configuration profile. /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep minutesUntilFailedLoginReset If the return is null or not “minutesUntilFailedLoginReset = 15”, this is a finding. |
| Fix Text (F-26819r467565_fix) |
|---|
| This setting is enforced using the "Passcode Policy" configuration profile or by a directory service. |