5.2.1 Configure account lockout threshold

Information

The account lockout threshold specifies the amount of times a user can enter an incorrect password before a lockout will occur.

Ensure that a lockout threshold is part of the password policy on the computer

Rationale:

The account lockout feature mitigates brute-force password attacks on the system.

Impact:

The number of incorrect log on attempts should be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user log on.

Solution

Run the following command to set the maximum number of failed login attempts to less than or equal to 5:

$ sudo pwpolicy -a <administratoraccount> -setaccountpolicies 'maxFailedLoginAttempts=<value<=5>'

example:

$ sudo pwpolicy -a firstuser -setglobalpolicy 'maxFailedLoginAttempts=5'

See Also

https://workbench.cisecurity.org/files/3092

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7a.

Plugin: Unix

Control ID: 0544ca8d1bd0b008768b3c7372db7149dafaa7b7b70acc8250dfcef5bafc3614