CCI-000044 in U Apple macOS 14 V2R2

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
SRG-OS-000021-GPOS-00005
Group ID
V-259428
Rule Version
APPL-14-000022
Rule Title
The macOS system must limit consecutive failed log on attempts to three.
Rule ID
SV-259428r958388_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The macOS must be configured to limit the number of failed log on attempts to a maximum of three. When the maximum number of failed attempts is reached, the account must be locked for a period of time after.

This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.

Satisfies: SRG-OS-000021-GPOS-00005,SRG-OS-000329-GPOS-00128

Documentable
False
Check Content

Verify the macOS system is configured to limit consecutive failed log on attempts to three with the following command:

/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMaximumFailedAuthentications"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 <= 3) {print "yes"} else {print "no"}}'

If the result is not "yes", this is a finding.

Check System
C-63167r940904_chk
Fix Reference
F-63075r940905_fix
Fix Text

Configure the macOS system to limit consecutive failed log on attempts to three by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile or by a directory service.

Identities
CCI-000044

Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

  • 800-53 :: AC-7 a
  • 800-53 Rev. 4 :: AC-7 a
  • 800-53 Rev. 5 :: AC-7 a
  • 800-53A :: AC-7.1 (ii)
CCI-002238

Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

  • 800-53 Rev. 4 :: AC-7 b
  • 800-53 Rev. 5 :: AC-7 b
Group Title
SRG-OS-000021-GPOS-00005
Group ID
V-259440
Rule Version
APPL-14-000060
Rule Title
The macOS system must set account lockout time to 15 minutes.
Rule ID
SV-259440r958388_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The macOS must be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed logon attempts is reached.

This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.

Satisfies: SRG-OS-000021-GPOS-00005,SRG-OS-000329-GPOS-00128

Documentable
False
Check Content

Verify the macOS system is configured to set account lockout time to 15 minutes with the following command:

/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="autoEnableInSeconds"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1/60 >= 15 ) {print "yes"} else {print "no"}}'

If the result is not "yes", this is a finding.

Check System
C-63179r940940_chk
Fix Reference
F-63087r940941_fix
Fix Text

Configure the macOS system to set account lockout time to 15 minutes by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile or by a directory service.

Identities
CCI-000044

Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

  • 800-53 :: AC-7 a
  • 800-53 Rev. 4 :: AC-7 a
  • 800-53 Rev. 5 :: AC-7 a
  • 800-53A :: AC-7.1 (ii)
CCI-002238

Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

  • 800-53 Rev. 4 :: AC-7 b
  • 800-53 Rev. 5 :: AC-7 b
UNCLASSIFIED