800-53|AC-7a.

Title

UNSUCCESSFUL LOGON ATTEMPTS

Description

Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and

Reference Item Details

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1.1 Set 'Account lockout threshold' to '5 invalid logon attempt(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.2 Set 'Account lockout duration' to '15 or more minute(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.3 Set 'Reset account lockout counter after' to '15 minute(s)'WindowsCIS Windows 8 L1 v1.0.0
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
1.2.6 - /etc/security/user - 'loginretries <= 3'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.3 Configure SSH - Check if MaxAuthTries is set to 3 and not commented for server.UnixCIS Solaris 9 v1.3
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed AttemptsPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed AttemptsPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
2.20 Set 'Number of attempts allowed' to '10'WindowsCIS Microsoft Exchange Server 2016 CAS v1.0.0
2.20 Set 'Number of attempts allowed' to '10'WindowsCIS Microsoft Exchange Server 2013 CAS v1.1.0
3.6.2.11 OpenSSH: Ensure MaxAuthTries is set to 4 or lessUnixCIS IBM AIX 7.1 L1 v2.0.0
4.002 - Number of allowed bad-logon attempts does not meet minimum requirements.WindowsDISA Windows Vista STIG v6r41
4.003 - Time before bad-logon counter is reset does not meet minimum requirements.WindowsDISA Windows Vista STIG v6r41
4.34 init.ora - 'sec_max_failed_login_attempts = 3'WindowsCIS v1.1.0 Oracle 11g OS Windows Level 1
4.34 init.ora - 'sec_max_failed_login_attempts = 3'UnixCIS v1.1.0 Oracle 11g OS L1
5.2.1 Configure account lockout thresholdUnixCIS Apple OSX 10.9 L1 v1.3.0
5.2.1 Configure account lockout thresholdUnixCIS Apple OSX 10.10 Yosemite L1 v1.2.0
5.2.1 Configure account lockout thresholdUnixCIS Apple OSX 10.11 El Capitan L1 v1.1.0
5.2.1 Configure account lockout thresholdUnixCIS Apple macOS 10.12 L1 v1.2.0
5.2.1 Configure account lockout thresholdUnixCIS Apple macOS 10.13 L1 v1.1.0
5.2.5 Ensure SSH MaxAuthTries is set to 4 or lessUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
5.2.5 Ensure SSH MaxAuthTries is set to 4 or lessUnixCIS Amazon Linux v2.1.0 L1
5.2.5 Ensure SSH MaxAuthTries is set to 4 or lessUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
5.3.1 Ensure password creation requirements are configured - 'retry=3'UnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
5.3.1 Ensure password creation requirements are configured - 'retry=3'UnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
5.3.2 Ensure lockout for failed password attempts is configuredUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
5.3.2 Ensure lockout for failed password attempts is configuredUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900'UnixCIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth [success=1 default=bad] pam_unix.so'UnixCIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900'UnixCIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900'UnixCIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - system-auth 'auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900'UnixCIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - system-auth 'auth [success=1 default=bad] pam_unix.so'UnixCIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - system-auth 'auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900'UnixCIS Amazon Linux v2.1.0 L1
5.3.2 Ensure lockout for failed password attempts is configured - system-auth 'auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900'UnixCIS Amazon Linux v2.1.0 L1
5.3.7 Ensure lockout for unsuccessful root logon attempts - password-auth defaultUnixCIS Amazon Linux 2 STIG v1.0.0 L3
5.3.7 Ensure lockout for unsuccessful root logon attempts - password-auth requiredUnixCIS Amazon Linux 2 STIG v1.0.0 L3
5.3.7 Ensure lockout for unsuccessful root logon attempts - system-auth defaultUnixCIS Amazon Linux 2 STIG v1.0.0 L3
5.3.7 Ensure lockout for unsuccessful root logon attempts - system-auth requiredUnixCIS Amazon Linux 2 STIG v1.0.0 L3
5.4.1 Ensure password creation requirements are configured - retryUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
5.4.1 Ensure password creation requirements are configured - retryUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth denyUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth even_deny_rootUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth fail_intervalUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth unlock_timeUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG