Check: APPL-14-000022
Apple macOS 14 (Sonoma) STIG:
APPL-14-000022
(in versions v1 r2 through v1 r1)
Title
The macOS system must limit consecutive failed log on attempts to three. (Cat II impact)
Discussion
The macOS must be configured to limit the number of failed log on attempts to a maximum of three. When the maximum number of failed attempts is reached, the account must be locked for a period of time after. This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. Satisfies: SRG-OS-000021-GPOS-00005,SRG-OS-000329-GPOS-00128
Check Content
Verify the macOS system is configured to limit consecutive failed log on attempts to three with the following command: /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMaximumFailedAuthentications"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 <= 3) {print "yes"} else {print "no"}}' If the result is not "yes", this is a finding.
Fix Text
Configure the macOS system to limit consecutive failed log on attempts to three by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile or by a directory service.
Additional Identifiers
Rule ID: SV-259428r940906_rule
Vulnerability ID: V-259428
Group Title: SRG-OS-000021-GPOS-00005
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000044 |
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
| CCI-002238 |
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
Controls
| Number | Title |
|---|---|
| AC-7 |
Unsuccessful Logon Attempts |