Navigate

Check: APPL-11-000022

Apple macOS 11 (Big Sur) STIG: APPL-11-000022 (in versions v1 r8 through v1 r1)

Title

The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked. (Cat II impact)

Discussion

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.

Check Content

Password policy is set with the Passcode Policy configuration profile. /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep 'maxFailedAttempts\|minutesUntilFailedLoginReset' If "maxFailedAttempts" is not set to "3" and "minutesUntilFailedLoginReset" is not set to "15", this is a finding.

Fix Text

This setting may be enforced using the "Passcode Policy" configuration profile or by a directory service.

Additional Identifiers

Rule ID: SV-230756r855674_rule

Vulnerability ID: V-230756

Group Title: SRG-OS-000329-GPOS-00128

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-002238	The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-7	Unsuccessful Logon Attempts