Theme

800-53|AC-7a.

Title

UNSUCCESSFUL LOGON ATTEMPTS

Description

Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.1.1 Set 'Account lockout threshold' to '5 invalid logon attempt(s)'	Windows	CIS Windows 8 L1 v1.0.0
1.1.1.2 Set 'Account lockout duration' to '15 or more minute(s)'	Windows	CIS Windows 8 L1 v1.0.0
1.1.1.3 Set 'Reset account lockout counter after' to '15 minute(s)'	Windows	CIS Windows 8 L1 v1.0.0
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
1.2.6 - /etc/security/user - 'loginretries <= 3'	Unix	CIS AIX 5.3/6.1 L1 v1.1.0
1.3 Configure SSH - Check if MaxAuthTries is set to 3 and not commented for server.	Unix	CIS Solaris 9 v1.3
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
2.20 Set 'Number of attempts allowed' to '10'	Windows	CIS Microsoft Exchange Server 2016 CAS v1.0.0
2.20 Set 'Number of attempts allowed' to '10'	Windows	CIS Microsoft Exchange Server 2013 CAS v1.1.0
3.6.2.11 OpenSSH: Ensure MaxAuthTries is set to 4 or less	Unix	CIS IBM AIX 7.1 L1 v2.0.0
4.002 - Number of allowed bad-logon attempts does not meet minimum requirements.	Windows	DISA Windows Vista STIG v6r41
4.003 - Time before bad-logon counter is reset does not meet minimum requirements.	Windows	DISA Windows Vista STIG v6r41
4.34 init.ora - 'sec_max_failed_login_attempts = 3'	Windows	CIS v1.1.0 Oracle 11g OS Windows Level 1
4.34 init.ora - 'sec_max_failed_login_attempts = 3'	Unix	CIS v1.1.0 Oracle 11g OS L1
5.2.1 Configure account lockout threshold	Unix	CIS Apple OSX 10.9 L1 v1.3.0
5.2.1 Configure account lockout threshold	Unix	CIS Apple OSX 10.10 Yosemite L1 v1.2.0
5.2.1 Configure account lockout threshold	Unix	CIS Apple OSX 10.11 El Capitan L1 v1.1.0
5.2.1 Configure account lockout threshold	Unix	CIS Apple macOS 10.12 L1 v1.2.0
5.2.1 Configure account lockout threshold	Unix	CIS Apple macOS 10.13 L1 v1.1.0
5.2.5 Ensure SSH MaxAuthTries is set to 4 or less	Unix	CIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
5.2.5 Ensure SSH MaxAuthTries is set to 4 or less	Unix	CIS Amazon Linux v2.1.0 L1
5.2.5 Ensure SSH MaxAuthTries is set to 4 or less	Unix	CIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
5.3.1 Ensure password creation requirements are configured - 'retry=3'	Unix	CIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
5.3.1 Ensure password creation requirements are configured - 'retry=3'	Unix	CIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
5.3.2 Ensure lockout for failed password attempts is configured	Unix	CIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
5.3.2 Ensure lockout for failed password attempts is configured	Unix	CIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900'	Unix	CIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth [success=1 default=bad] pam_unix.so'	Unix	CIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900'	Unix	CIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900'	Unix	CIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - system-auth 'auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900'	Unix	CIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - system-auth 'auth [success=1 default=bad] pam_unix.so'	Unix	CIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - system-auth 'auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900'	Unix	CIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - system-auth 'auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900'	Unix	CIS Amazon Linux v2.1.0 L1
5.3.7 Ensure lockout for unsuccessful root logon attempts - password-auth default	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
5.3.7 Ensure lockout for unsuccessful root logon attempts - password-auth required	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
5.3.7 Ensure lockout for unsuccessful root logon attempts - system-auth default	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
5.3.7 Ensure lockout for unsuccessful root logon attempts - system-auth required	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
5.4.1 Ensure password creation requirements are configured - retry	Unix	CIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
5.4.1 Ensure password creation requirements are configured - retry	Unix	CIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth deny	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth even_deny_root	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth fail_interval	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth unlock_time	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG