5.2.1 Configure account lockout threshold

Information

The account lockout threshold specifies the amount of times a user can enter an incorrect password before a lockout will occur. The account lockout feature mitigates brute-force password attacks on the system.

Solution

Perform the following to implement the prescribed state for all pwpolicy controls Run the following command in Terminal: sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1" Impact: The number of incorrect log on attempts should be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user log on.

See Also

https://workbench.cisecurity.org/files/299

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7a.

Plugin: Unix

Control ID: 7c8f773fd2a1ba00ef1ea157421857e47fbf4e1665425a155e1c1199ebb88723