Check: APPL-15-000060
Apple macOS 15 (Sequoia) STIG:
APPL-15-000060
(in version v1 r5)
Title
The macOS system must set account lockout time to 15 minutes. (Cat II impact)
Discussion
The macOS system must be configured to enforce a lockout time of at least 15 minutes when the maximum number of failed login attempts is reached. This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
Check Content
Verify the macOS system is configured to set account lockout time to 15 minutes with the following command: /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="autoEnableInSeconds"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1/60 >= 15 ) {print "yes"} else {print "no"}}' | /usr/bin/uniq If the result is not "yes", this is a finding.
Fix Text
Configure the macOS system to set account lockout time to 15 minutes by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile.
Additional Identifiers
Rule ID: SV-268440r1131197_rule
Vulnerability ID: V-268440
Group Title: SRG-OS-000021-GPOS-00005
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000044 |
Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
| CCI-002238 |
Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
Controls
| Number | Title |
|---|---|
| AC-7 |
Unsuccessful Logon Attempts |