800-53|AC-7a.

Title

UNSUCCESSFUL LOGON ATTEMPTS

Description

Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and

Reference Item Details

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1.1 Set 'Account lockout threshold' to '5 invalid logon attempt(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.2 Set 'Account lockout duration' to '15 or more minute(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.3 Set 'Reset account lockout counter after' to '15 minute(s)'WindowsCIS Windows 8 L1 v1.0.0
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
1.2.6 - /etc/security/user - 'loginretries <= 3'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.3 Configure SSH - Check if MaxAuthTries is set to 3 and not commented for server.UnixCIS Solaris 9 v1.3
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed AttemptsPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed AttemptsPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
2.20 Set 'Number of attempts allowed' to '10'WindowsCIS Microsoft Exchange Server 2013 CAS v1.1.0
2.20 Set 'Number of attempts allowed' to '10'WindowsCIS Microsoft Exchange Server 2016 CAS v1.0.0
3.6.1.11 OpenSSH: Ensure MaxAuthTries is set to 4 or lessUnixCIS IBM AIX 7.1 L1 v2.1.0
4.002 - Number of allowed bad-logon attempts does not meet minimum requirements.WindowsDISA Windows Vista STIG v6r41
4.003 - Time before bad-logon counter is reset does not meet minimum requirements.WindowsDISA Windows Vista STIG v6r41
4.4.1.2 Ensure latest version of authselect is installedUnixCIS Rocky Linux 8 Server L1 v2.0.0
4.4.1.2 Ensure latest version of authselect is installedUnixCIS Oracle Linux 8 Server L1 v3.0.0
4.4.1.2 Ensure latest version of authselect is installedUnixCIS Oracle Linux 8 Workstation L1 v3.0.0
4.4.1.2 Ensure latest version of authselect is installedUnixCIS AlmaLinux OS 8 Server L1 v3.0.0
4.4.1.2 Ensure latest version of authselect is installedUnixCIS Red Hat EL8 Server L1 v3.0.0
4.4.1.2 Ensure latest version of authselect is installedUnixCIS Red Hat EL8 Workstation L1 v3.0.0
4.4.1.2 Ensure latest version of authselect is installedUnixCIS AlmaLinux OS 8 Workstation L1 v3.0.0
4.4.1.2 Ensure latest version of authselect is installedUnixCIS Rocky Linux 8 Workstation L1 v2.0.0
4.4.2.1.1 Ensure pam_faillock module is enabledUnixCIS Amazon Linux 2 v3.0.0 L1
4.4.2.1.1 Ensure pam_faillock module is enabledUnixCIS Oracle Linux 7 v4.0.0 L1 Server
4.4.2.1.1 Ensure pam_faillock module is enabledUnixCIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
4.4.2.1.1 Ensure pam_faillock module is enabledUnixCIS Oracle Linux 7 v4.0.0 L1 Workstation
4.4.2.1.1 Ensure pam_faillock module is enabledUnixCIS CentOS Linux 7 v4.0.0 L1 Server
4.4.2.1.1 Ensure pam_faillock module is enabledUnixCIS CentOS Linux 7 v4.0.0 L1 Workstation
4.4.2.1.1 Ensure pam_faillock module is enabledUnixCIS Red Hat Enterprise Linux 7 v4.0.0 L1 Server
4.34 init.ora - 'sec_max_failed_login_attempts = 3'WindowsCIS v1.1.0 Oracle 11g OS Windows Level 1
4.34 init.ora - 'sec_max_failed_login_attempts = 3'UnixCIS v1.1.0 Oracle 11g OS L1
5.2.1 Configure account lockout thresholdUnixCIS Apple macOS 10.12 L1 v1.2.0
5.2.1 Configure account lockout thresholdUnixCIS Apple OSX 10.10 Yosemite L1 v1.2.0
5.2.1 Configure account lockout thresholdUnixCIS Apple macOS 10.13 L1 v1.1.0
5.2.1 Configure account lockout thresholdUnixCIS Apple OSX 10.9 L1 v1.3.0
5.2.1 Configure account lockout thresholdUnixCIS Apple OSX 10.11 El Capitan L1 v1.1.0
5.2.5 Ensure SSH MaxAuthTries is set to 4 or lessUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
5.2.5 Ensure SSH MaxAuthTries is set to 4 or lessUnixCIS Amazon Linux v2.1.0 L1
5.2.5 Ensure SSH MaxAuthTries is set to 4 or lessUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
5.3.1 Ensure password creation requirements are configured - 'retry=3'UnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
5.3.1 Ensure password creation requirements are configured - 'retry=3'UnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
5.3.2 Ensure lockout for failed password attempts is configuredUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
5.3.2 Ensure lockout for failed password attempts is configuredUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900'UnixCIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth [success=1 default=bad] pam_unix.so'UnixCIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900'UnixCIS Amazon Linux v2.1.0 L1