SRG-OS-000021-GPOS-00005 Controls

STIG IDVersionTitleProduct
RHEL-08-020010V1R6RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
RHEL-08-020011V1R6RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
RHEL-08-020012V1R6RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020013V1R6RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020014V1R6RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020015V1R6RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020016V1R6RHEL 8 must ensure account lockouts persist.
RHEL-08-020017V1R6RHEL 8 must ensure account lockouts persist.
RHEL-08-020018V1R6RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
RHEL-08-020019V1R6RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
RHEL-08-020020V1R6RHEL 8 must log user name information when unsuccessful logon attempts occur.
RHEL-08-020021V1R6RHEL 8 must log user name information when unsuccessful logon attempts occur.
RHEL-08-020022V1R6RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020023V1R6RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020025V1R6RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
RHEL-08-020026V1R6RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
RHEL-08-020027V1R6RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
RHEL-08-020028V1R6RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
SLES-15-020010V1R4The SUSE operating system must lock an account after three consecutive invalid access attempts.
WN19-AC-000020V3R1Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less.
WN19-AC-000030V3R1Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
UBTU-18-010033V2R12The Ubuntu operating system must be configured so that three consecutive invalid logon attempts by a user automatically locks the account until released by an administrator.
APPL-14-000022V1R1The macOS system must limit consecutive failed log on attempts to three.
APPL-14-000060V1R1The macOS system must set account lockout time to 15 minutes.
OL07-00-010320V3R1The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.
SLES-12-010130V3R1The SUSE operating system must lock an account after three consecutive invalid access attempts.
APPL-15-000022V1R1The macOS system must limit consecutive failed login attempts to three.
APPL-15-000060V1R1The macOS system must set account lockout time to 15 minutes.
ALMA-09-007500V1R1AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur.
ALMA-09-007610V1R1AlmaLinux OS 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
ALMA-09-007720V1R1AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
ALMA-09-007830V1R1AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
ALMA-09-007940V1R1AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
ALMA-09-008050V1R1AlmaLinux OS 9 must log username information when unsuccessful logon attempts occur.
OL08-00-020010V1R6OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur.
OL08-00-020011V1R6OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur.
OL08-00-020012V1R6OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020013V1R6OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020014V1R6OL 8 systems below version 8.2 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020015V1R6OL 8 systems, versions 8.2 and above, must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020016V1R6OL 8 systems below version 8.2 must ensure account lockouts persist.
OL08-00-020017V1R6OL 8 systems, versions 8.2 and above, must ensure account lockouts persist.
OL08-00-020018V1R6OL 8 systems below version 8.2 must prevent system messages from being presented when three unsuccessful logon attempts occur.
OL08-00-020019V1R6OL 8 systems, versions 8.2 and above, must prevent system messages from being presented when three unsuccessful logon attempts occur.
OL08-00-020020V1R6OL 8 systems below version 8.2 must log user name information when unsuccessful logon attempts occur.
OL08-00-020021V1R6OL 8 systems, versions 8.2 and above, must log user name information when unsuccessful logon attempts occur.
OL08-00-020022V1R6OL 8 systems below version 8.2 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020023V1R6OL 8 systems, versions 8.2 and above, must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020025V1R6OL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
OL08-00-020026V1R6OL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
OL08-00-020027V1R6OL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
OL08-00-020028V1R6OL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
OL09-00-003010V1R1OL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
OL09-00-003011V1R1OL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
OL09-00-003012V1R1OL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
OL09-00-003022V1R1OL 9 must log username information when unsuccessful logon attempts occur.
OL09-00-003023V1R1OL 9 must ensure account lockouts persist.
UBTU-24-200610V1R1Ubuntu 24.04 LTS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
UBTU-22-411045V1R1Ubuntu 22.04 LTS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
WN11-AC-000010V1R6The number of allowed bad logon attempts must be configured to three or less.
WN11-AC-000015V1R6The period of time before the bad logon counter is reset must be configured to 15 minutes.
RHEL-09-411105V2R5RHEL 9 must ensure account lockouts persist.
RHEL-09-412045V2R5RHEL 9 must log username information when unsuccessful logon attempts occur.
RHEL-09-431020V2R5RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
RHEL-09-611030V2R5RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
RHEL-09-611035V2R5RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
WN10-AC-000010V3R1The number of allowed bad logon attempts must be configured to 3 or less.
WN10-AC-000015V3R1The period of time before the bad logon counter is reset must be configured to 15 minutes.
WN16-AC-000020V2R9Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less.
WN16-AC-000030V2R9Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
WN22-AC-000020V2R5Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less.
WN22-AC-000030V2R5Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.