The delay between login prompts following a failed login attempt must be at least 4 seconds.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-768	GEN000480	SV-38446r3_rule	ECLO-1 ECLO-2	Medium

Description
Enforcing a delay between consecutive failed login attempts increases protection against automated password guessing attacks.

STIG	Date
HP-UX 11.23 Security Technical Implementation Guide	2015-12-02

Details

Check Text ( C-36250r2_chk )
For Trusted Mode: Check the t_logdelay setting. # more /tcb/files/auth/system/default Verify the value of the t_logdelay variable. If the value is less than 4, this is a finding. For SMSE: By default, PAM executes a built-in, 3 second standard delay if user authentication fails. This delay cannot be extended. The “nodelay” parameter disables the built-in delay. Ensure that the “nodelay” parameter is not found in the /etc/pam.conf file. The HP-SMSE environment does not meet the failed authentication 4 second minimum delay requirement. This check will always result in a finding.

Check Text ( C-36250r2_chk )

For Trusted Mode:
Check the t_logdelay setting.
# more /tcb/files/auth/system/default

Verify the value of the t_logdelay variable. If the value is less than 4, this is a finding.

For SMSE:
By default, PAM executes a built-in, 3 second standard delay if user authentication fails. This delay cannot be extended. The “nodelay” parameter disables the built-in delay. Ensure that the “nodelay” parameter is not found in the /etc/pam.conf file.

The HP-SMSE environment does not meet the failed authentication 4 second minimum delay requirement. This check will always result in a finding.

Fix Text (F-31507r2_fix)
For Trusted Mode: Use the SAM/SMH interface to ensure that the t_logdelay setting is 4. For SMSE: There is no fix, however, there are attack mitigations to minimize risk (see mitigations).