The operating system must enforce a lockout expiration of 15 minutes after three consecutive invalid logon attempts by a user.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-58469 | AOSX-09-001325 | SV-72899r1_rule | Medium |
| Description |
|---|
| By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. |
| STIG | Date |
|---|---|
| Apple OS X 10.9 (Mavericks) Workstation Security Technical Implementation Guide | 2017-01-05 |
Details
| Check Text ( C-59319r1_chk ) |
|---|
| To check if the password policy is configured to disable an account for 15 minutes in the event 3 unsuccessful login are attempted, run the following command: sudo pwpolicy getglobalpolicy | tr ' ' '\n' | grep 'minutesUntilFailedLoginReset' If the result is not 'minutesUntilFailedLoginReset=15', and password policy is not controlled by a directory server, this is a finding. |
| Fix Text (F-63807r1_fix) |
|---|
| To set the password policy, run the following command: sudo pwpolicy setglobalpolicy 'minutesUntilFailedLoginReset=15' |