SRG-OS-000021-GPOS-00005 Controls

STIG IDVersionTitleProduct
ALMA-09-007500V1R1AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur.
ALMA-09-007610V1R1AlmaLinux OS 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
ALMA-09-007720V1R1AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
ALMA-09-007830V1R1AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
ALMA-09-007940V1R1AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
ALMA-09-008050V1R1AlmaLinux OS 9 must log username information when unsuccessful logon attempts occur.
UBTU-18-010033V2R15The Ubuntu operating system must be configured so that three consecutive invalid logon attempts by a user automatically locks the account until released by an administrator.
UBTU-24-200610V1R1Ubuntu 24.04 LTS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
WN22-AC-000020V2R1Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less.
WN22-AC-000030V2R1Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
WN10-AC-000010V2R8The number of allowed bad logon attempts must be configured to 3 or less.
WN10-AC-000015V2R8The period of time before the bad logon counter is reset must be configured to 15 minutes.
APPL-15-000022V1R1The macOS system must limit consecutive failed login attempts to three.
APPL-15-000060V1R1The macOS system must set account lockout time to 15 minutes.
APPL-14-000022V2R1The macOS system must limit consecutive failed log on attempts to three.
APPL-14-000060V2R1The macOS system must set account lockout time to 15 minutes.
WN11-AC-000010V2R1The number of allowed bad logon attempts must be configured to three or less.
WN11-AC-000015V2R1The period of time before the bad logon counter is reset must be configured to 15 minutes.
UBTU-22-411045V2R1Ubuntu 22.04 LTS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
RHEL-08-020010V1R9RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
RHEL-08-020011V1R9RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
RHEL-08-020012V1R9RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020013V1R9RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020014V1R9RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020015V1R9RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020016V1R9RHEL 8 must ensure account lockouts persist.
RHEL-08-020017V1R9RHEL 8 must ensure account lockouts persist.
RHEL-08-020018V1R9RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
RHEL-08-020019V1R9RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
RHEL-08-020020V1R9RHEL 8 must log user name information when unsuccessful logon attempts occur.
RHEL-08-020021V1R9RHEL 8 must log user name information when unsuccessful logon attempts occur.
RHEL-08-020022V1R9RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020023V1R9RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-08-020025V1R9RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
RHEL-08-020026V1R9RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
RHEL-08-020027V1R9RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
RHEL-08-020028V1R9RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
RHEL-09-411105V2R1RHEL 9 must ensure account lockouts persist.
RHEL-09-412045V2R1RHEL 9 must log username information when unsuccessful logon attempts occur.
RHEL-09-431020V2R1RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
RHEL-09-611030V2R1RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
RHEL-09-611035V2R1RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
OL09-00-003010V1R1OL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
OL09-00-003011V1R1OL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
OL09-00-003012V1R1OL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
OL09-00-003022V1R1OL 9 must log username information when unsuccessful logon attempts occur.
OL09-00-003023V1R1OL 9 must ensure account lockouts persist.
WN16-AC-000020V2R10Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less.
WN16-AC-000030V2R10Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
SLES-15-020010V1R9The SUSE operating system must lock an account after three consecutive invalid access attempts.
SLES-12-010130V2R13The SUSE operating system must lock an account after three consecutive invalid access attempts.
OL07-00-010320V2R14The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.
WN19-AC-000020V2R8Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less.
WN19-AC-000030V2R8Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
OL08-00-020010V1R9OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur.
OL08-00-020011V1R9OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur.
OL08-00-020012V1R9OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020013V1R9OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020014V1R9OL 8 systems below version 8.2 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020015V1R9OL 8 systems, versions 8.2 and above, must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020016V1R9OL 8 systems below version 8.2 must ensure account lockouts persist.
OL08-00-020017V1R9OL 8 systems, versions 8.2 and above, must ensure account lockouts persist.
OL08-00-020018V1R9OL 8 systems below version 8.2 must prevent system messages from being presented when three unsuccessful logon attempts occur.
OL08-00-020019V1R9OL 8 systems, versions 8.2 and above, must prevent system messages from being presented when three unsuccessful logon attempts occur.
OL08-00-020020V1R9OL 8 systems below version 8.2 must log user name information when unsuccessful logon attempts occur.
OL08-00-020021V1R9OL 8 systems, versions 8.2 and above, must log user name information when unsuccessful logon attempts occur.
OL08-00-020022V1R9OL 8 systems below version 8.2 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020023V1R9OL 8 systems, versions 8.2 and above, must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
OL08-00-020025V1R9OL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
OL08-00-020026V1R9OL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
OL08-00-020027V1R9OL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
OL08-00-020028V1R9OL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.