This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

The macOS system must limit consecutive failed log on attempts to three.

STIG ID: APPL-14-000022  |  SRG: SRG-OS-000021-GPOS-00005 |  Severity: medium (CAT II)  |  CCI: CCI-000044,CCI-002238 |  Vulnerability Id: V-259428

Vulnerability Discussion

The macOS must be configured to limit the number of failed log on attempts to a maximum of three. When the maximum number of failed attempts is reached, the account must be locked for a period of time after.

This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.

Satisfies: SRG-OS-000021-GPOS-00005,SRG-OS-000329-GPOS-00128

Check

Verify the macOS system is configured to limit consecutive failed log on attempts to three with the following command:

/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMaximumFailedAuthentications"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 <= 3) {print "yes"} else {print "no"}}'

If the result is not "yes", this is a finding.

Fix

Configure the macOS system to limit consecutive failed log on attempts to three by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile or by a directory service.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.