Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-768 | GEN000480 | SV-38446r3_rule | ECLO-1 ECLO-2 | Medium |
Description |
---|
Enforcing a delay between consecutive failed login attempts increases protection against automated password guessing attacks. |
STIG | Date |
---|---|
HP-UX 11.31 Security Technical Implementation Guide | 2015-06-12 |
Check Text ( C-36250r2_chk ) |
---|
For Trusted Mode: Check the t_logdelay setting. # more /tcb/files/auth/system/default Verify the value of the t_logdelay variable. If the value is less than 4, this is a finding. For SMSE: By default, PAM executes a built-in, 3 second standard delay if user authentication fails. This delay cannot be extended. The “nodelay” parameter disables the built-in delay. Ensure that the “nodelay” parameter is not found in the /etc/pam.conf file. The HP-SMSE environment does not meet the failed authentication 4 second minimum delay requirement. This check will always result in a finding. |
Fix Text (F-31507r2_fix) |
---|
For Trusted Mode: Use the SAM/SMH interface to ensure that the t_logdelay setting is 4. For SMSE: There is no fix, however, there are attack mitigations to minimize risk (see mitigations). |