Capacity
CCI-002238
Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.
15
Rule
Severity: Medium
Lock Accounts After Failed Password Attempts
12
Rule
Severity: Medium
Configure the root Account for Failed Password Attempts
14
Rule
Severity: Medium
Set Interval For Counting Failed Password Attempts
15
Rule
Severity: Medium
Set Lockout Time for Failed Password Attempts
7
Rule
Severity: Medium
Lock Accounts Must Persist
6
Rule
Severity: Medium
Do Not Show System Messages When Unsuccessful Logon Attempts Occur
2
Rule
Severity: Medium
Configure the root Account lock for Failed Password Attempts via pam_tally2
2
Rule
Severity: Medium
Set Lockout Time for Failed Password Attempts using pam_tally2
1
Rule
Severity: Medium
The A10 Networks ADC must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
2
Rule
Severity: Medium
AAA Services must be configured to maintain locks on user accounts until released by an administrator.
1
Rule
Severity: Medium
Compliance Guardian must provide automated mechanisms for supporting account management functions.
2
Rule
Severity: Medium
The application administrator must follow an approved process to unlock locked user accounts.
2
Rule
Severity: Medium
The Central Log Server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
1
Rule
Severity: Medium
CounterACT must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
1
Rule
Severity: Medium
The HP FlexFabric Switch must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
1
Rule
Severity: Medium
IBM Aspera Console must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.
1
Rule
Severity: Medium
IBM Aspera Faspex must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.
1
Rule
Severity: Medium
IBM Aspera Shares must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.
1
Rule
Severity: Medium
The Ivanti MobileIron Core server must configured to lock administrator accounts after three unsuccessful login attempts.
1
Rule
Severity: Medium
The Ivanti MobileIron Core server must be configured to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded.
2
Rule
Severity: Medium
The Mainframe Product must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
1
Rule
Severity: Medium
Nutanix AOS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
1
Rule
Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
2
Rule
Severity: Medium
Tanium must automatically lock accounts and require them be unlocked by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
2
Rule
Severity: Medium
The UEM server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
2
Rule
Severity: Low
A maximum of 60-minute delay must be specified for the password retry after 3 failed attempts to enter your password
4
Rule
Severity: Medium
The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.
2
Rule
Severity: Medium
The macOS system must limit consecutive failed log on attempts to three.
3
Rule
Severity: Medium
The macOS system must set account lockout time to 15 minutes.
1
Rule
Severity: Medium
The Ubuntu operating system must be configured so that three consecutive invalid logon attempts by a user automatically locks the account until released by an administrator.
2
Rule
Severity: Low
The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
2
Rule
Severity: Medium
The container platform must automatically lock an account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
2
Rule
Severity: Medium
The operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
2
Rule
Severity: Medium
AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.
2
Rule
Severity: Medium
The CA-ACF2 PSWD GSO record values for MAXTRY and PASSLMT must be properly set.
1
Rule
Severity: Medium
The IBM RACF PASSWORD(REVOKE) SETROPTS value must be set to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur.
2
Rule
Severity: Medium
The CA-TSS PTHRESH Control Option must be properly set.
2
Rule
Severity: Medium
Windows 10 account lockout duration must be configured to 15 minutes or greater.
2
Rule
Severity: Medium
The period of time before the bad logon counter is reset must be configured to 15 minutes.
2
Rule
Severity: Medium
Windows 11 account lockout duration must be configured to 15 minutes or greater.
2
Rule
Severity: Medium
Windows 2016 account lockout duration must be configured to 15 minutes or greater.
2
Rule
Severity: Medium
Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
2
Rule
Severity: Medium
Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
2
Rule
Severity: Medium
Windows Server 2019 account lockout duration must be configured to 15 minutes or greater.
2
Rule
Severity: Medium
Windows Server 2022 account lockout duration must be configured to 15 minutes or greater.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.
2
Rule
Severity: Medium
The Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must ensure account lockouts persist.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must ensure account lockouts persist.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must prevent system messages from being presented when three unsuccessful logon attempts occur.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must prevent system messages from being presented when three unsuccessful logon attempts occur.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must log user name information when unsuccessful logon attempts occur.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must log user name information when unsuccessful logon attempts occur.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
OL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
2
Rule
Severity: Medium
OL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
2
Rule
Severity: Medium
OL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
2
Rule
Severity: Medium
OL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
2
Rule
Severity: High
OpenShift must use FIPS validated LDAP or OpenIDConnect.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.
2
Rule
Severity: Medium
RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
2
Rule
Severity: Medium
RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
2
Rule
Severity: Medium
RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur.
2
Rule
Severity: Medium
RHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
2
Rule
Severity: Medium
RHEL 9 must maintain an account lock until the locked account is released by an administrator.
2
Rule
Severity: Medium
The SUSE operating system must lock an account after three consecutive invalid access attempts.
2
Rule
Severity: Medium
Splunk Enterprise must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
2
Rule
Severity: Medium
The VMM must automatically lock an account until the locked account is released by an administrator, when three unsuccessful logon attempts in 15 minutes are made.
4
Rule
Severity: Medium
The ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out.
1
Rule
Severity: Medium
The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.
4
Rule
Severity: Medium
The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
4
Rule
Severity: Medium
The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.
3
Rule
Severity: Medium
The Photon operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
1
Rule
Severity: Medium
The macOS system must limit consecutive failed login attempts to three.
1
Rule
Severity: Low
Ubuntu 22.04 LTS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
1
Rule
Severity: Medium
Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager, when using locally stored user accounts, must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
1
Rule
Severity: Medium
The IBM RACF PASSWORD(REVOKE) SETROPTS value must be specified to revoke the userid after three invalid logon attempts.
1
Rule
Severity: Medium
The Ivanti EPMM server must configured to lock administrator accounts after three unsuccessful login attempts.
1
Rule
Severity: Medium
The Ivanti EPMM server must be configured to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded.
1
Rule
Severity: Medium
MKE must be configured to integrate with an Enterprise Identity Provider.
1
Rule
Severity: Medium
Microsoft Intune service must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.
1
Rule
Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
1
Rule
Severity: Medium
SLEM 5 must lock an account after three consecutive invalid access attempts.
1
Rule
Severity: Medium
TOSS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules