UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The delay between login prompts following a failed login attempt must be at least 4 seconds.


Overview

Finding ID Version Rule ID IA Controls Severity
V-768 GEN000480 SV-44838r1_rule Medium
Description
Enforcing a delay between successive failed login attempts increases protection against automated password guessing attacks.
STIG Date
SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide 2018-09-19

Details

Check Text ( C-42309r1_chk )
Check the value of the FAIL_DELAY variable and the ability to use it

Procedure:.
# grep FAIL_DELAY /etc/login.defs
If the value does not exist, or is less than 4, this is a finding.

Check for the use of pam_faildelay.
# grep pam_faildelay /etc/pam.d/common-auth*
If the pam_faildelay.so module is not listed, this is a finding.
Fix Text (F-38275r1_fix)
Add the pam_faildelay module and set the FAIL_DELAY variable.

Procedure:
Edit /etc/login.defs and set the value of the FAIL_DELAY variable to 4 or more.

Edit /etc/pam.d/common-auth and add a pam_faildelay entry if one does not exist, such as:
auth optional pam_faildelay.so