Details

The account lockout threshold specifies the amount of times a user can enter an incorrect password before a lockout will occur.

Ensure that a lockout threshold is part of the password policy on the computer

Rationale:

The account lockout feature mitigates brute-force password attacks on the system.

Impact:

The number of incorrect log on attempts should be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user log on.

Solution

Run the following command to set the maximum number of failed login attempts to less than or equal to 5:

$ sudo pwpolicy -a -setaccountpolicies ‘maxFailedLoginAttempts=‘

example:

$ sudo pwpolicy -a firstuser -setglobalpolicy ‘maxFailedLoginAttempts=5’

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3092

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-7a.

Source

• Tenable.com/audits