CCI|CCI-002238

Title

The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

Reference Item Details

Category: 2013

Audit Items

View all Reference Audit Items

NamePluginAudit Name
4.003 - The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 7.WindowsDISA Windows 7 STIG v1r32
4.003 - The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2008 R2.WindowsDISA Windows Server 2008 R2 DC STIG v1r34
4.003 - The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2008 R2.WindowsDISA Windows Server 2008 R2 MS STIG v1r33
4.003 - The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2008.WindowsDISA Windows Server 2008 MS STIG v6r46
4.003 - The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2008.WindowsDISA Windows Server 2008 DC STIG v6r47
4.003 - Time before bad-logon counter is reset does not meet minimum requirements.WindowsDISA Windows Vista STIG v6r41
4.004 - Lockout duration does not meet minimum requirements.WindowsDISA Windows Vista STIG v6r41
4.004 - Windows 7 account lockout duration must be configured to 15 minutes or greater.WindowsDISA Windows 7 STIG v1r32
4.004 - Windows 2008 account lockout duration must be configured to 15 minutes or greater.WindowsDISA Windows Server 2008 DC STIG v6r47
4.004 - Windows 2008 account lockout duration must be configured to 15 minutes or greater.WindowsDISA Windows Server 2008 MS STIG v6r46
4.004 - Windows 2008 R2 account lockout duration must be configured to 15 minutes or greater.WindowsDISA Windows Server 2008 R2 DC STIG v1r34
4.004 - Windows 2008 R2 account lockout duration must be configured to 15 minutes or greater.WindowsDISA Windows Server 2008 R2 MS STIG v1r33
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth denyUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth even_deny_rootUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth fail_intervalUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - password-auth unlock_timeUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - system-auth denyUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - system-auth even_deny_rootUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - system-auth fail_intervalUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.12 Ensure accounts lock for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe - system-auth unlock_timeUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.13 Ensure lockout for unsuccessful root logon attemptsUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.13 Ensure lockout for unsuccessful root logon attempts - password-auth defaultUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.13 Ensure lockout for unsuccessful root logon attempts - system-auth defaultUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.13 Ensure lockout for unsuccessful root logon attempts - system-auth requiredUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
AIX7-00-001003 - AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.UnixDISA STIG AIX 7.x v2r6
AIX7-00-001003 - AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.UnixDISA STIG AIX 7.x v2r5
AIX7-00-001003 - AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.UnixDISA STIG AIX 7.x v2r9
AIX7-00-001003 - AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.UnixDISA STIG AIX 7.x v2r8
AIX7-00-001003 - AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.UnixDISA STIG AIX 7.x v2r3
AIX7-00-001003 - AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.UnixDISA STIG AIX 7.x v2r1
AOSX-09-001324 - System must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.UnixDISA STIG Apple Mac OSX 10.9 v1r2
AOSX-09-001326 - System must automatically lock the account until it is released by an administrator - 'minutesUntilFailedLoginReset'UnixDISA STIG Apple Mac OSX 10.9 v1r2
AOSX-09-001326 - System must automatically lock the account until the account is released by an administrator - 'maxFailedLoginAttempts'UnixDISA STIG Apple Mac OSX 10.9 v1r2
AOSX-10-001324 - System must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.UnixDISA STIG Apple Mac OSX 10.10 v1r5
AOSX-10-001326 - System must automatically lock the account until it is released by an administrator - 'minutesUntilFailedLoginReset'UnixDISA STIG Apple Mac OSX 10.10 v1r5
AOSX-10-001326 - System must automatically lock the account until the account is released by an administrator - 'maxFailedLoginAttempts'UnixDISA STIG Apple Mac OSX 10.10 v1r5
AOSX-11-001324 - The system must enforce an account lockout of 15 mins. in which three consecutive invalid logon attempts by a user are madeUnixDISA STIG Apple Mac OSX 10.11 v1r6
AOSX-11-001326 - The system must lock the account until the locked account is released by an administrator - maxFailedAttemptsUnixDISA STIG Apple Mac OSX 10.11 v1r6
AOSX-11-001326 - The system must lock the account until the locked account is released by an administrator - minutesUntilFailedLoginResetUnixDISA STIG Apple Mac OSX 10.11 v1r6
AOSX-12-001324 - The OS X system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.UnixDISA STIG Apple Mac OSX 10.12 v1r6
AOSX-12-001326 - The OS X system must automatically lock the account when three unsuccessful logon attempts in 15 minutes are exceeded.UnixDISA STIG Apple Mac OSX 10.12 v1r6
AOSX-13-001324 - The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.UnixDISA STIG Apple Mac OSX 10.13 v2r1
AOSX-13-001324 - The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.UnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-001324 - The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.UnixDISA STIG Apple Mac OSX 10.13 v2r3
AOSX-13-001327 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.UnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-001327 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.UnixDISA STIG Apple Mac OSX 10.13 v2r1
AOSX-13-001327 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.UnixDISA STIG Apple Mac OSX 10.13 v2r3
AOSX-14-000021 - The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.UnixDISA STIG Apple Mac OSX 10.14 v2r5
AOSX-14-000021 - The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.UnixDISA STIG Apple Mac OSX 10.14 v2r4
AOSX-14-000021 - The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.UnixDISA STIG Apple Mac OSX 10.14 v2r1