CCI-000044 in U Apple macOS 15 V1R1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at sales@fusiontsi.com to purchase one.

UNCLASSIFIED
Group Title
SRG-OS-000021-GPOS-00005
Group ID
V-268428
Rule Version
APPL-15-000022
Rule Title
The macOS system must limit consecutive failed login attempts to three.
Rule ID
SV-268428r1034224_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The macOS must be configured to limit the number of failed login attempts to a maximum of three. When the maximum number of failed attempts is reached, the account must be locked for a period of time.

This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.

Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128

Documentable
False
Check Content

Verify the macOS system is configured to limit consecutive failed login attempts to three with the following command:

/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMaximumFailedAuthentications"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 <= 3) {print "yes"} else {print "no"}}'

If the result is not "yes", this is a finding.

Check System
C-72458r1034222_chk
Fix Reference
F-72359r1034223_fix
Fix Text

Configure the macOS system to limit consecutive failed login attempts to three by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile or by a directory service.

Identities
CCI-000044

Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

  • 800-53 :: AC-7 a
  • 800-53 Rev. 4 :: AC-7 a
  • 800-53 Rev. 5 :: AC-7 a
  • 800-53A :: AC-7.1 (ii)
CCI-002238

Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

  • 800-53 Rev. 4 :: AC-7 b
  • 800-53 Rev. 5 :: AC-7 b
Group Title
SRG-OS-000021-GPOS-00005
Group ID
V-268440
Rule Version
APPL-15-000060
Rule Title
The macOS system must set account lockout time to 15 minutes.
Rule ID
SV-268440r1034260_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The macOS system must be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed login attempts is reached.

This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.

Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128

Documentable
False
Check Content

Verify the macOS system is configured to set account lockout time to 15 minutes with the following command:

/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="autoEnableInSeconds"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1/60 >= 15 ) {print "yes"} else {print "no"}}'

If the result is not "yes", this is a finding.

Check System
C-72470r1034258_chk
Fix Reference
F-72371r1034259_fix
Fix Text

Configure the macOS system to set account lockout time to 15 minutes by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile or by a directory service.

Identities
CCI-000044

Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

  • 800-53 :: AC-7 a
  • 800-53 Rev. 4 :: AC-7 a
  • 800-53 Rev. 5 :: AC-7 a
  • 800-53A :: AC-7.1 (ii)
CCI-002238

Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

  • 800-53 Rev. 4 :: AC-7 b
  • 800-53 Rev. 5 :: AC-7 b
UNCLASSIFIED