Capacity
CCI-000044
Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
58
Rule
Severity: Medium
Account Lockouts Must Be Logged
29
Rule
Severity: Medium
Account Lockouts Must Persist
15
Rule
Severity: Medium
Lock Accounts After Failed Password Attempts
12
Rule
Severity: Medium
Configure the root Account for Failed Password Attempts
14
Rule
Severity: Medium
Set Interval For Counting Failed Password Attempts
15
Rule
Severity: Medium
Set Lockout Time for Failed Password Attempts
5
Rule
Severity: Medium
Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File.
5
Rule
Severity: Medium
Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File.
7
Rule
Severity: Medium
An SELinux Context must be configured for the pam_faillock.so records directory
7
Rule
Severity: Medium
Lock Accounts Must Persist
6
Rule
Severity: Medium
Do Not Show System Messages When Unsuccessful Logon Attempts Occur
3
Rule
Severity: Medium
Set Deny For Failed Password Attempts
2
Rule
Severity: Medium
Configure the root Account lock for Failed Password Attempts via pam_tally2
2
Rule
Severity: Medium
Set Lockout Time for Failed Password Attempts using pam_tally2
1
Rule
Severity: Medium
The A10 Networks ADC must enforce the limit of three consecutive invalid logon attempts.
2
Rule
Severity: Medium
AAA Services must be configured to automatically lock user accounts after three consecutive invalid logon attempts within a 15-minute time period.
1
Rule
Severity: Medium
Compliance Guardian must provide automated mechanisms for supporting account management functions.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must be configured to not allow more than 10 consecutive failed authentication attempts.
2
Rule
Severity: Medium
The Arista network device must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.
2
Rule
Severity: High
The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
2
Rule
Severity: Medium
The Central Log Server must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
1
Rule
Severity: Medium
The DBN-6300 must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
1
Rule
Severity: Medium
The FortiGate device must enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.
1
Rule
Severity: Medium
For the local account, CounterACT must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
2
Rule
Severity: Medium
Forescout must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.
2
Rule
Severity: Medium
Google Android 12 must be configured to not allow more than 10 consecutive failed authentication attempts.
6
Rule
Severity: Medium
Google Android 13 must be configured to not allow more than 10 consecutive failed authentication attempts.
1
Rule
Severity: Medium
The HP FlexFabric Switch must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
1
Rule
Severity: Medium
The HYCU VM console must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any logon attempt for 15 minutes.
1
Rule
Severity: Medium
IBM Aspera Console must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.
1
Rule
Severity: Medium
IBM Aspera Faspex must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.
1
Rule
Severity: Medium
IBM Aspera Shares must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.
1
Rule
Severity: Medium
The MQ Appliance network device must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
1
Rule
Severity: Medium
The IBM z/VM JOURNALING LOGON parameter must be set for lockout after 3 attempts for 15 minutes.
1
Rule
Severity: Medium
The CA VM:Secure JOURNAL Facility parameters must be set for lockout after 3 attempts.
1
Rule
Severity: Medium
The Ivanti MobileIron Core server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
1
Rule
Severity: Low
MobileIron Sentry must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.
3
Rule
Severity: Medium
The LockOutRealm must be configured with a login failure count of 3.
2
Rule
Severity: Medium
The Jamf Pro EMM must enforce the limit of three consecutive invalid logon attempts by a user.
2
Rule
Severity: Medium
The Juniper router must be configured to enforce the limit of three consecutive invalid logon attempts after which time lock out the user account from accessing the device for 15 minutes.
2
Rule
Severity: Low
For local accounts created on the device, the Juniper SRX Services Gateway must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
2
Rule
Severity: Medium
The Mainframe Product must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
2
Rule
Severity: Medium
Microsoft Android 11 must be configured to not allow more than 10 consecutive failed authentication attempts.
1
Rule
Severity: Low
Motorola Solutions Android 11 must be configured to not allow more than ten consecutive failed authentication attempts.
6
Rule
Severity: Medium
The network device must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.
2
Rule
Severity: Medium
ONTAP must be configured to enforce the limit of three consecutive failed logon attempts.
1
Rule
Severity: Medium
Nutanix AOS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
1
Rule
Severity: Medium
Oracle WebLogic must limit the number of failed login attempts to an organization-defined number of consecutive invalid attempts that occur within an organization-defined time period.
1
Rule
Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
2
Rule
Severity: Medium
The Riverbed NetProfiler must enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 30 minutes, at a minimum.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must enforce the limit of three (3) consecutive invalid logon attempts by a user during a 15-minute time period for device console access.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must enforce the limit of three (3) consecutive invalid logon attempts by a user during a 15-minute time period for web-based management access.
13
Rule
Severity: Medium
Samsung Android must be configured to not allow more than 10 consecutive failed authentication attempts.
2
Rule
Severity: Medium
Splunk Enterprise must enforce the limit of 3 consecutive invalid logon attempts by a user during a 15 minute time period.
1
Rule
Severity: Medium
The Samsung SDS EMM must enforce the limit of three consecutive invalid logon attempts by a user.
1
Rule
Severity: Medium
Symantec ProxySG must be configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
2
Rule
Severity: Medium
The TippingPoint SMS must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.
2
Rule
Severity: Medium
The UEM server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
1
Rule
Severity: Medium
The NSX-T Manager must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.
1
Rule
Severity: High
The Workspace ONE UEM must enforce the limit of three consecutive invalid logon attempts by a user.
2
Rule
Severity: Medium
Maximum failed password attempts before disable delay must be set to 3 or less.
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 must be configured to not allow more than 10 consecutive failed authentication attempts.
3
Rule
Severity: Medium
Apple iOS/iPadOS 17 must be configured to not allow more than 10 consecutive failed authentication attempts.
2
Rule
Severity: Medium
The macOS system must limit consecutive failed log on attempts to three.
3
Rule
Severity: Medium
The macOS system must set account lockout time to 15 minutes.
1
Rule
Severity: Medium
The Ubuntu operating system must be configured so that three consecutive invalid logon attempts by a user automatically locks the account until released by an administrator.
2
Rule
Severity: Low
The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
4
Rule
Severity: Medium
The Cisco router must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.
4
Rule
Severity: Medium
The Cisco switch must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.
2
Rule
Severity: Medium
The Cisco router must be configured to enforce the limit of three consecutive invalid logon attempts after which time lock out the user account from accessing the device for 15 minutes.
2
Rule
Severity: Medium
The Cisco ISE must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.
2
Rule
Severity: Medium
The Cisco switch must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must disconnect the session.
2
Rule
Severity: Medium
The container platform must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
2
Rule
Severity: Medium
The HPE Nimble must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.
5
Rule
Severity: Medium
Google Android 14 must be configured to not allow more than 10 consecutive failed authentication attempts.
2
Rule
Severity: Medium
The operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
2
Rule
Severity: Low
SSMC must enforce the limit of three consecutive invalid logon attempts by a nonadministrative user.
2
Rule
Severity: Medium
AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.
2
Rule
Severity: Medium
The CA-TSS NPWRTHRESH Control Option must be properly set.
4
Rule
Severity: Medium
The CA-TSS NPPTHRESH Control Option must be properly set.
2
Rule
Severity: Medium
The CA-TSS PTHRESH Control Option must be set to 2.
2
Rule
Severity: Medium
The IBM RACF PASSWORD(REVOKE) SETROPTS value must be specified to revoke the userid after three invalid logon attempts.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to enforce the limit of three consecutive invalid logon attempts for any given user, after which time it must block any login attempt for that user for 15 minutes.
2
Rule
Severity: Medium
The ICS must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.
2
Rule
Severity: Medium
Exchange external Receive connectors must be domain secure-enabled.
2
Rule
Severity: Medium
The number of allowed bad logon attempts must be configured to 3 or less.
4
Rule
Severity: Medium
The period of time before the bad logon counter is reset must be configured to 15 minutes.
2
Rule
Severity: Medium
The number of allowed bad logon attempts must be configured to three or less.
2
Rule
Severity: Medium
The required legal notice must be configured to display before console logon.
2
Rule
Severity: Medium
Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less.
2
Rule
Severity: Medium
Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
2
Rule
Severity: Medium
Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less.
2
Rule
Severity: Medium
Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
2
Rule
Severity: Medium
Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less.
2
Rule
Severity: Medium
Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must ensure account lockouts persist.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must ensure account lockouts persist.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must prevent system messages from being presented when three unsuccessful logon attempts occur.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must prevent system messages from being presented when three unsuccessful logon attempts occur.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must log user name information when unsuccessful logon attempts occur.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must log user name information when unsuccessful logon attempts occur.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
OL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
2
Rule
Severity: Medium
OL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
2
Rule
Severity: High
OpenShift must use FIPS validated LDAP or OpenIDConnect.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.
4
Rule
Severity: Medium
RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
4
Rule
Severity: Medium
RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
4
Rule
Severity: Medium
RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
4
Rule
Severity: Medium
RHEL 8 must ensure account lockouts persist.
4
Rule
Severity: Medium
RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
4
Rule
Severity: Medium
RHEL 8 must log user name information when unsuccessful logon attempts occur.
4
Rule
Severity: Medium
RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
4
Rule
Severity: Medium
The SUSE operating system must lock an account after three consecutive invalid access attempts.
2
Rule
Severity: Medium
RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
2
Rule
Severity: Medium
RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
2
Rule
Severity: Medium
RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
2
Rule
Severity: Medium
RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
2
Rule
Severity: Medium
RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur.
2
Rule
Severity: Medium
RHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
RHEL 9 must maintain an account lock until the locked account is released by an administrator.
2
Rule
Severity: Medium
RHEL 9 must ensure account lockouts persist.
2
Rule
Severity: Medium
RHEL 9 must log username information when unsuccessful logon attempts occur.
2
Rule
Severity: Medium
RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
2
Rule
Severity: Medium
RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
2
Rule
Severity: Medium
RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
4
Rule
Severity: Medium
The system must disable accounts after three consecutive unsuccessful login attempts.
2
Rule
Severity: Medium
Splunk Enterprise must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
2
Rule
Severity: Medium
The VMM must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
1
Rule
Severity: Medium
The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
1
Rule
Severity: Medium
The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.
1
Rule
Severity: Medium
The vCenter Server must enforce the limit of three consecutive invalid login attempts by a user.
3
Rule
Severity: Medium
The Photon operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
3
Rule
Severity: Medium
The Photon operating system must be configured to use the pam_faillock.so module.
3
Rule
Severity: Medium
The Photon operating system must prevent leaking information of the existence of a user account.
3
Rule
Severity: Medium
The Photon operating system must audit logon attempts for unknown users.
3
Rule
Severity: Medium
The Photon operating system must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
3
Rule
Severity: Medium
The Photon operating system must persist lockouts between system reboots.
1
Rule
Severity: Low
Zebra Android 11 must be configured to not allow more than 10 consecutive failed authentication attempts.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
1
Rule
Severity: Medium
The macOS system must limit consecutive failed login attempts to three.
1
Rule
Severity: Low
Ubuntu 22.04 LTS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
1
Rule
Severity: Medium
Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for at least 15 minutes.
2
Rule
Severity: Medium
Google Android 15 must be configured to not allow more than 10 consecutive failed authentication attempts.
1
Rule
Severity: Medium
The Ivanti EPMM server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
1
Rule
Severity: Low
Sentry must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.
1
Rule
Severity: Medium
MKE must be configured to integrate with an Enterprise Identity Provider.
1
Rule
Severity: Medium
Microsoft Intune service must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.
1
Rule
Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
1
Rule
Severity: Medium
SLEM 5 must lock an account after three consecutive invalid access attempts.
2
Rule
Severity: Medium
SLEM 5 must use the default pam_tally2 tally directory.
1
Rule
Severity: Medium
TOSS must enforce the limit of five consecutive invalid logon attempts by a user during a 15-minute time period.
1
Rule
Severity: Medium
The NSX Manager must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must be configured to not allow more than 10 consecutive failed authentication attempts.
1
Rule
Severity: Medium
An SELinux Context must be configured for default pam_tally2 file option
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules