CSCv6|16.7

Title

Use and configure account lockouts such that after a set number of failed login attempts the account is locked for a standard period of time.

Description

Use and configure account lockouts such that after a set number of failed login attempts the account is locked for a standard period of time.

Reference Item Details

Reference: CIS Critical Security Controls v6

Category: Account Monitoring and Control

Family: Application

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.1.1 Set 'Account lockout threshold' to '5 invalid logon attempt(s)'	Windows	CIS Windows 8 L1 v1.0.0
1.1.1.2 Set 'Account lockout duration' to '15 or more minute(s)'	Windows	CIS Windows 8 L1 v1.0.0
1.1.1.3 Set 'Reset account lockout counter after' to '15 minute(s)'	Windows	CIS Windows 8 L1 v1.0.0
1.1.2.31 Set 'Audit Policy: Logon-Logoff: Account Lockout' to 'No Auditing'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.6.1 Set 'Interactive logon: Machine account lockout threshold' to 10 or fewer invalid logon attempts	Windows	CIS Windows 8 L1 v1.0.0
1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
1.2.6 - /etc/security/user - 'loginretries <= 3'	Unix	CIS AIX 5.3/6.1 L1 v1.1.0
1.3 Configure SSH - Check if MaxAuthTries is set to 3 and not commented for server.	Unix	CIS Solaris 9 v1.3
1.4.1.1 Ensure 'aaa local authentication max failed attempts' is set to less than or equal to '3'	Cisco	CIS Cisco Firewall v8.x L1 v4.2.0
1.4.1.1 Ensure 'aaa local authentication max failed attempts' is set to less than or equal to '3'	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.0.0
1.4.1.1 Ensure 'aaa local authentication max failed attempts' is set to less than or equal to '3'	Cisco	CIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
2.2.10 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less	OracleDB	CIS Oracle Server 18c DB Unified Auditing v1.1.0
2.2.10 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less	OracleDB	CIS Oracle Server 18c DB Traditional Auditing v1.1.0
2.2.12 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less	OracleDB	CIS Oracle Server 12c DB Traditional Auditing v3.0.0
2.2.12 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less	OracleDB	CIS Oracle Server 12c DB Unified Auditing v3.0.0
2.4.5 Ensure 'Maximum number of failed attempts' is set to '6'	MDM	MobileIron - CIS Apple iOS 14 and iPadOS 14 v1.0.0 End User Owned L1
2.4.5 Ensure 'Maximum number of failed attempts' is set to '6'	MDM	MobileIron - CIS Apple iOS 13 and iPadOS 13 v1.0.0 End User Owned L1
2.4.5 Ensure 'Maximum number of failed attempts' is set to '6'	MDM	AirWatch - CIS Apple iOS 12 v1.0.0 End User Owned L1
2.4.5 Ensure 'Maximum number of failed attempts' is set to '6'	MDM	AirWatch - CIS Apple iOS 11 v1.0.0 End User Owned L1
2.4.5 Ensure 'Maximum number of failed attempts' is set to '6'	MDM	AirWatch - CIS Apple iOS 10 v2.0.0 End User Owned L1
2.4.5 Ensure 'Maximum number of failed attempts' is set to '6'	MDM	MobileIron - CIS Apple iOS 10 v2.0.0 End User Owned L1
2.4.5 Ensure 'Maximum number of failed attempts' is set to '6'	MDM	AirWatch - CIS Apple iOS 14 and iPadOS 14 v1.0.0 End User Owned L1
2.4.5 Ensure 'Maximum number of failed attempts' is set to '6'	MDM	MobileIron - CIS Apple iOS 12 v1.0.0 End User Owned L1
2.4.5 Ensure 'Maximum number of failed attempts' is set to '6'	MDM	AirWatch - CIS Apple iOS 13 and iPadOS 13 v1.0.0 End User Owned L1
2.4.5 Ensure 'Maximum number of failed attempts' is set to '6'	MDM	MobileIron - CIS Apple iOS 11 v1.0.0 End User Owned L1
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'	OracleDB	CIS Oracle Server 12c DB Unified Auditing v3.0.0
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'	OracleDB	CIS Oracle Server 12c DB Traditional Auditing v3.0.0
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'	OracleDB	CIS Oracle Server 18c DB Traditional Auditing v1.1.0
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'	OracleDB	CIS Oracle Server 18c DB Unified Auditing v1.1.0
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'	OracleDB	CIS Oracle Server 18c DB Unified Auditing v1.1.0
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'	OracleDB	CIS Oracle Server 12c DB Traditional Auditing v3.0.0
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'	OracleDB	CIS Oracle Server 18c DB Traditional Auditing v1.1.0
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'	OracleDB	CIS Oracle Server 12c DB Unified Auditing v3.0.0
17.5.1 (L1) Ensure 'Audit Account Lockout' is set to include 'Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.5.1 Ensure 'Audit Account Lockout' is set to include 'Failure'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
17.5.1 Ensure 'Audit Account Lockout' is set to include 'Failure'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0

Detections

Analytics

CSCv6|16.7

Title

Description

Reference Item Details

Audit Items