The operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-58467 | AOSX-09-001324 | SV-72897r1_rule | Medium |
| Description |
|---|
| Setting a lockout expiration of 15 minutes is an effective deterrent against brute forcing that also makes allowances for legitimate mistakes by users. |
| STIG | Date |
|---|---|
| Apple OS X 10.9 (Mavericks) Workstation Security Technical Implementation Guide | 2017-01-05 |
Details
| Check Text ( C-59313r1_chk ) |
|---|
| To check if the password policy is configured to disable an account after 3 unsuccessful login attempts, run the following command: sudo pwpolicy getglobalpolicy | tr ' ' '\n' | grep 'maxFailedLoginAttempts' If the result is not 'maxFailedLoginAttempts=3' and password policy is not controlled by a directory server, this is a finding. |
| Fix Text (F-63801r1_fix) |
|---|
| To set the password policy, run the following command: sudo pwpolicy setglobalpolicy 'maxFailedLoginAttempts=3' |