CCI-002238

Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

21 rules found Severity: Medium

15 rules found Severity: Medium

18 rules found Severity: Medium

21 rules found Severity: Medium

7 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

3 rules found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: High

CCI-002238

Lock Accounts After Failed Password Attempts

Configure the root Account for Failed Password Attempts

Set Interval For Counting Failed Password Attempts

Set Lockout Time for Failed Password Attempts

Do Not Show System Messages When Unsuccessful Logon Attempts Occur

Lock Accounts Must Persist

Configure the root Account lock for Failed Password Attempts via pam_tally2

Set Lockout Time for Failed Password Attempts using pam_tally2

The A10 Networks ADC must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.

Compliance Guardian must provide automated mechanisms for supporting account management functions.

CounterACT must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.

The HP FlexFabric Switch must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.

IBM Aspera Console must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.

IBM Aspera Faspex must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.

IBM Aspera Shares must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.

The Ivanti MobileIron Core server must configured to lock administrator accounts after three unsuccessful login attempts.

The Ivanti MobileIron Core server must be configured to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded.

Nutanix AOS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.

Riverbed Optimization System (RiOS) must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.

Tanium must automatically lock accounts and require them be unlocked by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.

The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.

The Ubuntu operating system must be configured so that three consecutive invalid logon attempts by a user automatically locks the account until released by an administrator.

The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.

The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.

The BIG-IP appliance must be configured to automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.

The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.

The Enterprise Voice, Video, and Messaging Session Manager, when using locally stored user accounts, must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.

AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.

A maximum of 60-minute delay must be specified for the password retry after 3 failed attempts to enter your password

The Ivanti EPMM server must configured to lock administrator accounts after three unsuccessful login attempts.

The Ivanti EPMM server must be configured to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded.

MKE must be configured to integrate with an Enterprise Identity Provider.

Microsoft Intune service must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.

Windows 11 account lockout duration must be configured to 15 minutes or greater.

Windows 2016 account lockout duration must be configured to 15 minutes or greater.

Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.

The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.

The Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.

SLEM 5 must lock an account after three consecutive invalid access attempts.

Splunk Enterprise must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.

TOSS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.

NixOS must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.

AAA Services must be configured to maintain locks on user accounts until released by an administrator.

The macOS system must limit consecutive failed login attempts to three.

The macOS system must limit consecutive failed log on attempts to three.

The macOS system must set account lockout time to 15 minutes.

The application administrator must follow an approved process to unlock locked user accounts.

Ubuntu 22.04 LTS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.

The Central Log Server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.

AlmaLinux OS 9 must maintain an account lock until the locked account is manually released by an administrator; and not automatically after a set time.

AlmaLinux OS 9 must ensure account locks persist across reboots.

AlmaLinux OS 9 must configure the appropriate SELinux context on the nondefault faillock tally directory.

The container platform must automatically lock an account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.

Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.

The operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.

The CA-ACF2 PSWD GSO record values for MAXTRY and PASSLMT must be properly set.

The IBM RACF PASSWORD(REVOKE) SETROPTS value must be specified to revoke the userid after three invalid logon attempts.

The CA-TSS PTHRESH Control Option must be set to 2.

The Mainframe Product must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.

Windows 10 account lockout duration must be configured to 15 minutes or greater.

The period of time before the bad logon counter is reset must be configured to 15 minutes.

Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.

Windows Server 2019 account lockout duration must be configured to 15 minutes or greater.

Windows Server 2022 account lockout duration must be configured to 15 minutes or greater.

Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.

OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur.

OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur.

OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.

OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.

OL 8 systems below version 8.2 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.

OL 8 systems, versions 8.2 and above, must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.

OL 8 systems below version 8.2 must ensure account lockouts persist.

OL 8 systems, versions 8.2 and above, must ensure account lockouts persist.

OL 8 systems below version 8.2 must prevent system messages from being presented when three unsuccessful logon attempts occur.

OL 8 systems, versions 8.2 and above, must prevent system messages from being presented when three unsuccessful logon attempts occur.

OL 8 systems below version 8.2 must log user name information when unsuccessful logon attempts occur.

OL 8 systems, versions 8.2 and above, must log user name information when unsuccessful logon attempts occur.

OL 8 systems below version 8.2 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.

OL 8 systems, versions 8.2 and above, must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.