Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-768 | GEN000480 | SV-44838r1_rule | ECLO-1 ECLO-2 | Medium |
Description |
---|
Enforcing a delay between successive failed login attempts increases protection against automated password guessing attacks. |
STIG | Date |
---|---|
SUSE Linux Enterprise Server v11 for System z | 2015-01-26 |
Check Text ( C-42309r1_chk ) |
---|
Check the value of the FAIL_DELAY variable and the ability to use it Procedure:. # grep FAIL_DELAY /etc/login.defs If the value does not exist, or is less than 4, this is a finding. Check for the use of pam_faildelay. # grep pam_faildelay /etc/pam.d/common-auth* If the pam_faildelay.so module is not listed, this is a finding. |
Fix Text (F-38275r1_fix) |
---|
Add the pam_faildelay module and set the FAIL_DELAY variable. Procedure: Edit /etc/login.defs and set the value of the FAIL_DELAY variable to 4 or more. Edit /etc/pam.d/common-auth and add a pam_faildelay entry if one does not exist, such as: auth optional pam_faildelay.so |