SRG-OS-000021-GPOS-00005 Controls

STIG IDVersionTitleProduct
ALMA-09-007500V1R2AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur.
ALMA-09-007610V1R2AlmaLinux OS 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
ALMA-09-007720V1R2AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
ALMA-09-007830V1R2AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
ALMA-09-007940V1R2AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
ALMA-09-008050V1R2AlmaLinux OS 9 must log username information when unsuccessful logon attempts occur.
APPL-14-000022V2R3The macOS system must limit consecutive failed log on attempts to three.
APPL-14-000060V2R3The macOS system must set account lockout time to 15 minutes.
APPL-15-000022V1R3The macOS system must limit consecutive failed login attempts to three.
APPL-15-000060V1R3The macOS system must set account lockout time to 15 minutes.
OL07-00-010320V3R2The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.
OL08-00-020010V2R4OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur.
OL08-00-020011V2R4OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur.
OL08-00-020012V2R4OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020013V2R4OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020014V2R4OL 8 systems below version 8.2 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020015V2R4OL 8 systems, versions 8.2 and above, must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020016V2R4OL 8 systems below version 8.2 must ensure account lockouts persist.
OL08-00-020017V2R4OL 8 systems, versions 8.2 and above, must ensure account lockouts persist.
OL08-00-020018V2R4OL 8 systems below version 8.2 must prevent system messages from being presented when three unsuccessful logon attempts occur.
OL08-00-020019V2R4OL 8 systems, versions 8.2 and above, must prevent system messages from being presented when three unsuccessful logon attempts occur.
OL08-00-020020V2R4OL 8 systems below version 8.2 must log user name information when unsuccessful logon attempts occur.
OL08-00-020021V2R4OL 8 systems, versions 8.2 and above, must log user name information when unsuccessful logon attempts occur.
OL08-00-020022V2R4OL 8 systems below version 8.2 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020023V2R4OL 8 systems, versions 8.2 and above, must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020025V2R4OL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
OL08-00-020026V2R4OL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
OL08-00-020027V2R4OL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
OL08-00-020028V2R4OL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
OL09-00-003010V1R1OL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
OL09-00-003011V1R1OL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
OL09-00-003012V1R1OL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
OL09-00-003022V1R1OL 9 must log username information when unsuccessful logon attempts occur.
OL09-00-003023V1R1OL 9 must ensure account lockouts persist.
RHEL-08-020010V2R3RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
RHEL-08-020011V2R3RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
RHEL-08-020012V2R3RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020013V2R3RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020014V2R3RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020015V2R3RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020016V2R3RHEL 8 must ensure account lockouts persist.
RHEL-08-020017V2R3RHEL 8 must ensure account lockouts persist.
RHEL-08-020018V2R3RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
RHEL-08-020019V2R3RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
RHEL-08-020020V2R3RHEL 8 must log user name information when unsuccessful logon attempts occur.
RHEL-08-020021V2R3RHEL 8 must log user name information when unsuccessful logon attempts occur.
RHEL-08-020022V2R3RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020023V2R3RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020025V2R3RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
RHEL-08-020026V2R3RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
RHEL-08-020027V2R3RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
RHEL-08-020028V2R3RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
RHEL-09-411105V2R4RHEL 9 must ensure account lockouts persist.
RHEL-09-412045V2R4RHEL 9 must log username information when unsuccessful logon attempts occur.
RHEL-09-431020V2R4RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
RHEL-09-611030V2R4RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
RHEL-09-611035V2R4RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
SLES-12-010130V3R2The SUSE operating system must lock an account after three consecutive invalid access attempts.
SLES-15-020010V2R4The SUSE operating system must lock an account after three consecutive invalid access attempts.
UBTU-18-010033V2R15The Ubuntu operating system must be configured so that three consecutive invalid logon attempts by a user automatically locks the account until released by an administrator.
UBTU-22-411045V2R4Ubuntu 22.04 LTS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
UBTU-24-200610V1R1Ubuntu 24.04 LTS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
WN10-AC-000010V3R4The number of allowed bad logon attempts must be configured to 3 or less.
WN10-AC-000015V3R4The period of time before the bad logon counter is reset must be configured to 15 minutes.
WN11-AC-000010V2R3The number of allowed bad logon attempts must be configured to three or less.
WN11-AC-000015V2R3The period of time before the bad logon counter is reset must be configured to 15 minutes.
WN16-AC-000020V2R9Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less.
WN16-AC-000030V2R9Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
WN19-AC-000020V3R4Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less.
WN19-AC-000030V3R4Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
WN22-AC-000020V2R4Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less.
WN22-AC-000030V2R4Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.