Check: AOSX-15-000021
Apple OS X 10.15 (Catalina) STIG:
AOSX-15-000021
(in versions v1 r10 through v1 r1)
Title
The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts. (Cat II impact)
Discussion
Setting a lockout time period of 15 minutes is an effective deterrent against brute forcing that also makes allowances for legitimate mistakes by users. When three invalid logon attempts are made, the account will be locked.
Check Content
Password policy is set with the Passcode Policy configuration profile. /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep minutesUntilFailedLoginReset If the return is null or not “minutesUntilFailedLoginReset = 15”, this is a finding.
Fix Text
This setting is enforced using the "Passcode Policy" configuration profile or by a directory service.
Additional Identifiers
Rule ID: SV-225132r853310_rule
Vulnerability ID: V-225132
Group Title: SRG-OS-000329-GPOS-00128
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002238 |
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
Controls
Number | Title |
---|---|
AC-7 |
Unsuccessful Logon Attempts |