800-53|AC-7a.

Title

UNSUCCESSFUL LOGON ATTEMPTS

Description

Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and

Reference Item Details

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1.1 Set 'Account lockout threshold' to '5 invalid logon attempt(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.2 Set 'Account lockout duration' to '15 or more minute(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.3 Set 'Reset account lockout counter after' to '15 minute(s)'WindowsCIS Windows 8 L1 v1.0.0
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.2.6 - /etc/security/user - 'loginretries <= 3'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.3 Configure SSH - Check if MaxAuthTries is set to 3 and not commented for server.UnixCIS Solaris 9 v1.3
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed AttemptsPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed AttemptsPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
2.20 Set 'Number of attempts allowed' to '10'WindowsCIS Microsoft Exchange Server 2016 CAS v1.0.0
2.20 Set 'Number of attempts allowed' to '10'WindowsCIS Microsoft Exchange Server 2013 CAS v1.1.0
3.2.7 /etc/security/user - loginretriesUnixCIS IBM AIX 7.1 L1 v1.1.0
4.002 - Number of allowed bad-logon attempts does not meet minimum requirements.WindowsDISA Windows Vista STIG v6r41
4.2.13 Configuring SSH - set MaxAuthTries to 4 or LessUnixCIS IBM AIX 7.1 L1 v1.1.0
4.003 - Time before bad-logon counter is reset does not meet minimum requirements.WindowsDISA Windows Vista STIG v6r41
4.34 init.ora - 'sec_max_failed_login_attempts = 3'WindowsCIS v1.1.0 Oracle 11g OS Windows Level 1
4.34 init.ora - 'sec_max_failed_login_attempts = 3'UnixCIS v1.1.0 Oracle 11g OS L1
5.2.1 Configure account lockout thresholdUnixCIS Apple OSX 10.10 Yosemite L1 v1.2.0
5.2.1 Configure account lockout thresholdUnixCIS Apple OSX 10.9 L1 v1.3.0
5.2.1 Configure account lockout thresholdUnixCIS Apple OSX 10.11 El Capitan L1 v1.1.0
5.2.1 Configure account lockout thresholdUnixCIS Apple macOS 10.12 L1 v1.2.0
5.2.1 Configure account lockout thresholdUnixCIS Apple macOS 10.13 L1 v1.1.0
5.2.5 Ensure SSH MaxAuthTries is set to 4 or lessUnixCIS Amazon Linux v2.1.0 L1
5.2.5 Ensure SSH MaxAuthTries is set to 4 or lessUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
5.2.5 Ensure SSH MaxAuthTries is set to 4 or lessUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.0
5.2.5 Ensure SSH MaxAuthTries is set to 4 or lessUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
5.2.5 Ensure SSH MaxAuthTries is set to 4 or lessUnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.0
5.3.1 Ensure password creation requirements are configured - 'retry=3'UnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
5.3.1 Ensure password creation requirements are configured - 'retry=3'UnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
5.3.1 Ensure password creation requirements are configured - password-auth retry=3UnixCIS Amazon Linux v2.1.0 L1
5.3.1 Ensure password creation requirements are configured - password-auth try_first_passUnixCIS Amazon Linux v2.1.0 L1
5.3.1 Ensure password creation requirements are configured - retryUnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.0
5.3.1 Ensure password creation requirements are configured - retryUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.0
5.3.1 Ensure password creation requirements are configured - system-auth retry=3UnixCIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configuredUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
5.3.2 Ensure lockout for failed password attempts is configuredUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
5.3.2 Ensure lockout for failed password attempts is configured - account requiredUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.0
5.3.2 Ensure lockout for failed password attempts is configured - account requiredUnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.0
5.3.2 Ensure lockout for failed password attempts is configured - auth requiredUnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.0
5.3.2 Ensure lockout for failed password attempts is configured - auth requiredUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.0
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900'UnixCIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth [success=1 default=bad] pam_unix.so'UnixCIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900'UnixCIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900'UnixCIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - system-auth 'auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900'UnixCIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - system-auth 'auth [success=1 default=bad] pam_unix.so'UnixCIS Amazon Linux v2.1.0 L1