Check: APPL-14-000060
Apple macOS 14 (Sonoma) STIG:
APPL-14-000060
(in versions v1 r2 through v1 r1)
Title
The macOS system must set account lockout time to 15 minutes. (Cat II impact)
Discussion
The macOS must be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed logon attempts is reached. This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. Satisfies: SRG-OS-000021-GPOS-00005,SRG-OS-000329-GPOS-00128
Check Content
Verify the macOS system is configured to set account lockout time to 15 minutes with the following command: /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="autoEnableInSeconds"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1/60 >= 15 ) {print "yes"} else {print "no"}}' If the result is not "yes", this is a finding.
Fix Text
Configure the macOS system to set account lockout time to 15 minutes by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile or by a directory service.
Additional Identifiers
Rule ID: SV-259440r940942_rule
Vulnerability ID: V-259440
Group Title: SRG-OS-000021-GPOS-00005
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000044 |
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
| CCI-002238 |
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
Controls
| Number | Title |
|---|---|
| AC-7 |
Unsuccessful Logon Attempts |