Check: APPL-13-000022
Apple macOS 13 (Ventura) STIG:
APPL-13-000022
(in versions v1 r4 through v1 r1)
Title
The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked. (Cat II impact)
Discussion
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
Check Content
Verify the macOS system is configured to enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "maxFailedAttempts\|minutesUntilFailedLoginReset" maxFailedAttempts = 3; minutesUntilFailedLoginReset = 15; If "maxFailedAttempts" is not set to "3" and "minutesUntilFailedLoginReset" is not set to "15", this is a finding.
Fix Text
Configure the macOS system to enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked by installing the "Passcode Policy" configuration profile or by a directory service.
Additional Identifiers
Rule ID: SV-257154r905095_rule
Vulnerability ID: V-257154
Group Title: SRG-OS-000329-GPOS-00128
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002238 |
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
Controls
| Number | Title |
|---|---|
| AC-7 |
Unsuccessful Logon Attempts |