Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-768 | GEN000480 | SV-63391r1_rule | ECLO-1 ECLO-2 | Medium |
Description |
---|
Enforcing a delay between successive failed login attempts increases protection against automated password guessing attacks. |
STIG | Date |
---|---|
Oracle Linux 5 Security Technical Implementation Guide | 2015-06-05 |
Check Text ( C-52101r1_chk ) |
---|
Check the value of the FAIL_DELAY variable and the ability to use it. Procedure: # grep FAIL_DELAY /etc/login.defs If the value does not exist, or is less than 4, this is a finding. Check for the use of pam_faildelay. # grep pam_faildelay /etc/pam.d/system-auth* If pam_faildelay.so module is not present, this is a finding. If pam_faildelay is present only in /etc/pam.d/system-auth-ac: ensure that /etc/pam.d/system-auth includes /etc/pam.d/system-auth-ac. #grep system-auth-ac /etc/pam.d/system-auth This should return: auth include system-auth-ac account include system-auth-ac password include system-auth-ac session include system-auth-ac /etc/pam.d/system-auth-ac should only be included by /etc/pam.d/system-auth. All other pam files should include /etc/pam.d/system-auth. If pam_faildelay is not defined in /etc/pam.d/system-auth either directly or through inclusion of system-auth-ac, this is a finding. |
Fix Text (F-53995r1_fix) |
---|
Add the pam_faildelay module and set the FAIL_DELAY variable. Procedure: Edit /etc/login.defs and set the value of the FAIL_DELAY variable to 4 or more. The default link /etc/pam.d/system-auth points to /etc/pam.d/system-auth-ac which is the file maintained by the authconfig utility. In order to add pam options other than those available via the utility create or modify /etc/pam.d/system-auth-local with the options and including system-auth-ac. For example: auth required pam_access.so auth optional pam_faildelay.so delay=4000000 auth include system-auth-ac account include system-auth-ac password include system-auth-ac session include system-auth-ac Once system-auth-local is written ensure the /etc/pam.d/system-auth points to system-auth-local. This is necessary because authconfig writes directly to system-auth-ac so any manual changes made will be lost if authconfig is run. |