The operating system must enforce the organization defined time period during which the limit of consecutive invalid access attempts by a user is counted.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33260	SRG-OS-000249-NA	SV-43679r1_rule		Medium

Description
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. Rationale for non-applicability: Mobile devices are more likely to be lost or stolen, and therefore more likely to be subjected to a slow password attack. Therefore, users will not be permitted to engage in further attempts after a defined time period. Per CCI 1383, if the user cannot successfully authenticate within an organization defined number of attempts, the mobile device is wiped regardless of the time period. In effect, the required time period is infinite.

Description

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. Rationale for non-applicability: Mobile devices are more likely to be lost or stolen, and therefore more likely to be subjected to a slow password attack. Therefore, users will not be permitted to engage in further attempts after a defined time period. Per CCI 1383, if the user cannot successfully authenticate within an organization defined number of attempts, the mobile device is wiped regardless of the time period. In effect, the required time period is infinite.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41557r1_chk )
This requirement is NA for the Mobile OS SRG.

Fix Text (F-37190r1_fix)
The requirement is NA. No fix is required.