UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The delay between login prompts following a failed login attempt must be at least 4 seconds.


Overview

Finding ID Version Rule ID IA Controls Severity
V-768 GEN000480 SV-38446r3_rule ECLO-1 ECLO-2 Medium
Description
Enforcing a delay between consecutive failed login attempts increases protection against automated password guessing attacks.
STIG Date
HP-UX 11.31 Security Technical Implementation Guide 2015-06-12

Details

Check Text ( C-36250r2_chk )
For Trusted Mode:
Check the t_logdelay setting.
# more /tcb/files/auth/system/default

Verify the value of the t_logdelay variable. If the value is less than 4, this is a finding.

For SMSE:
By default, PAM executes a built-in, 3 second standard delay if user authentication fails. This delay cannot be extended. The “nodelay” parameter disables the built-in delay. Ensure that the “nodelay” parameter is not found in the /etc/pam.conf file.

The HP-SMSE environment does not meet the failed authentication 4 second minimum delay requirement. This check will always result in a finding.
Fix Text (F-31507r2_fix)
For Trusted Mode:
Use the SAM/SMH interface to ensure that the t_logdelay setting is 4.

For SMSE:
There is no fix, however, there are attack mitigations to minimize risk (see mitigations).