SRG-OS-000021-GPOS-00005 Controls

STIG ID Version Title Product
APPL-14-000022 V2R2 The macOS system must limit consecutive failed log on attempts to three.
APPL-14-000060 V2R2 The macOS system must set account lockout time to 15 minutes.
OL07-00-010320 V3R1 The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.
OL08-00-020010 V2R2 OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur.
OL08-00-020011 V2R2 OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur.
OL08-00-020012 V2R2 OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020013 V2R2 OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020014 V2R2 OL 8 systems below version 8.2 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020015 V2R2 OL 8 systems, versions 8.2 and above, must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020016 V2R2 OL 8 systems below version 8.2 must ensure account lockouts persist.
OL08-00-020017 V2R2 OL 8 systems, versions 8.2 and above, must ensure account lockouts persist.
OL08-00-020018 V2R2 OL 8 systems below version 8.2 must prevent system messages from being presented when three unsuccessful logon attempts occur.
OL08-00-020019 V2R2 OL 8 systems, versions 8.2 and above, must prevent system messages from being presented when three unsuccessful logon attempts occur.
OL08-00-020020 V2R2 OL 8 systems below version 8.2 must log user name information when unsuccessful logon attempts occur.
OL08-00-020021 V2R2 OL 8 systems, versions 8.2 and above, must log user name information when unsuccessful logon attempts occur.
OL08-00-020022 V2R2 OL 8 systems below version 8.2 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020023 V2R2 OL 8 systems, versions 8.2 and above, must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020025 V2R2 OL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
OL08-00-020026 V2R2 OL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
OL08-00-020027 V2R2 OL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
OL08-00-020028 V2R2 OL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
RHEL-08-020010 V2R1 RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
RHEL-08-020011 V2R1 RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
RHEL-08-020012 V2R1 RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020013 V2R1 RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020014 V2R1 RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020015 V2R1 RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020016 V2R1 RHEL 8 must ensure account lockouts persist.
RHEL-08-020017 V2R1 RHEL 8 must ensure account lockouts persist.
RHEL-08-020018 V2R1 RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
RHEL-08-020019 V2R1 RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
RHEL-08-020020 V2R1 RHEL 8 must log user name information when unsuccessful logon attempts occur.
RHEL-08-020021 V2R1 RHEL 8 must log user name information when unsuccessful logon attempts occur.
RHEL-08-020022 V2R1 RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020023 V2R1 RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020025 V2R1 RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
RHEL-08-020026 V2R1 RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
RHEL-08-020027 V2R1 RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
RHEL-08-020028 V2R1 RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
RHEL-09-411105 V2R2 RHEL 9 must ensure account lockouts persist.
RHEL-09-412045 V2R2 RHEL 9 must log username information when unsuccessful logon attempts occur.
RHEL-09-431020 V2R2 RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
RHEL-09-611030 V2R2 RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
RHEL-09-611035 V2R2 RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
SLES-12-010130 V3R1 The SUSE operating system must lock an account after three consecutive invalid access attempts.
SLES-15-020010 V2R2 The SUSE operating system must lock an account after three consecutive invalid access attempts.
UBTU-18-010033 V2R15 The Ubuntu operating system must be configured so that three consecutive invalid logon attempts by a user automatically locks the account until released by an administrator.
UBTU-22-411045 V2R2 Ubuntu 22.04 LTS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
WN10-AC-000010 V3R2 The number of allowed bad logon attempts must be configured to 3 or less.
WN10-AC-000015 V3R2 The period of time before the bad logon counter is reset must be configured to 15 minutes.
WN11-AC-000010 V2R2 The number of allowed bad logon attempts must be configured to three or less.
WN11-AC-000015 V2R2 The period of time before the bad logon counter is reset must be configured to 15 minutes.
WN16-AC-000020 V2R9 Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less.
WN16-AC-000030 V2R9 Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
WN19-AC-000020 V3R2 Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less.
WN19-AC-000030 V3R2 Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
WN22-AC-000020 V2R2 Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less.
WN22-AC-000030 V2R2 Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.