CCI|CCI-002238

Title

Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

Reference Item Details

Category: 2024

Audit Items

View all Reference Audit Items

NamePluginAudit Name
4.003 - Time before bad-logon counter is reset does not meet minimum requirements.WindowsDISA Windows Vista STIG v6r41
4.004 - Lockout duration does not meet minimum requirements.WindowsDISA Windows Vista STIG v6r41
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth denyUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth even_deny_rootUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth fail_intervalUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth unlock_timeUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - system-auth denyUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - system-auth even_deny_rootUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - system-auth fail_intervalUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - system-auth unlock_timeUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.13 Ensure lockout for unsuccessful root logon attemptsUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.13 Ensure lockout for unsuccessful root logon attempts - password-auth defaultUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.13 Ensure lockout for unsuccessful root logon attempts - system-auth defaultUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.13 Ensure lockout for unsuccessful root logon attempts - system-auth requiredUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
AIX7-00-001003 - AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.UnixDISA STIG AIX 7.x v2r9
AOSX-13-001324 - The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.UnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-001327 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.UnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-000021 - The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-14-000022 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-000021 - The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.UnixDISA STIG Apple Mac OSX 10.15 v1r10
AOSX-15-000022 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.UnixDISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-000022 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked - maxFailedAttemptsUnixDISA STIG Apple macOS 11 v1r8
APPL-11-000022 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked - maxFailedAttemptsUnixDISA STIG Apple macOS 11 v1r5
APPL-11-000022 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked - minutesUntilFailedLoginResetUnixDISA STIG Apple macOS 11 v1r8
APPL-11-000022 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked - minutesUntilFailedLoginResetUnixDISA STIG Apple macOS 11 v1r5
APPL-12-000022 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.UnixDISA STIG Apple macOS 12 v1r9
APPL-13-000022 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.UnixDISA STIG Apple macOS 13 v1r4
APPL-14-000022 - The macOS system must limit consecutive failed log on attempts to three.UnixDISA Apple macOS 14 (Sonoma) STIG v2r1
APPL-14-000060 - The macOS system must set account lockout time to 15 minutes.UnixDISA Apple macOS 14 (Sonoma) STIG v2r1
APPL-15-000022 - The macOS system must limit consecutive failed login attempts to three.UnixDISA Apple macOS 15 (Sequoia) STIG v1r1
APPL-15-000060 - The macOS system must set account lockout time to 15 minutes.UnixDISA Apple macOS 15 (Sequoia) STIG v1r1
Big Sur - Limit Consecutive Failed Login Attempts to ThreeUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Limit Consecutive Failed Login Attempts to ThreeUnixNIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Limit Consecutive Failed Login Attempts to ThreeUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Limit Consecutive Failed Login Attempts to ThreeUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Limit Consecutive Failed Login Attempts to ThreeUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Limit Consecutive Failed Login Attempts to ThreeUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Limit Consecutive Failed Login Attempts to ThreeUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Low
Big Sur - Limit Consecutive Failed Login Attempts to ThreeUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Limit Consecutive Failed Login Attempts to ThreeUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Set Account Lockout Time to 15 MinutesUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Low
Big Sur - Set Account Lockout Time to 15 MinutesUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Set Account Lockout Time to 15 MinutesUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Set Account Lockout Time to 15 MinutesUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Set Account Lockout Time to 15 MinutesUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Set Account Lockout Time to 15 MinutesUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Set Account Lockout Time to 15 MinutesUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Set Account Lockout Time to 15 MinutesUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Set Account Lockout Time to 15 MinutesUnixNIST macOS Big Sur v1.4.0 - 800-171
Catalina - Limit Consecutive Failed Login Attempts to ThreeUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate