Check: GEN000480
AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE:
GEN000480
(in versions v1 r14 through v1 r10)
Title
The delay between login prompts following a failed login attempt must be at least 4 seconds. (Cat II impact)
Discussion
Enforcing a delay between successive failed login attempts increases protection against automated password guessing attacks.
Check Content
Check the logindelay parameter. # more /etc/security/login.cfg OR #grep logindelay /etc/security/login.cfg | grep -v \* Verify the value of the logindelay variable is 4 or more in each stanza. If the value of logindelay is not 4 or more, this is a finding.
Fix Text
Use vi or the chsec command to change the login delay time period. #chsec -f /etc/security/login.cfg -s default -a logindelay=4 OR # vi /etc/security/login.cfg Add logindelay = 4 to the default stanza.
Additional Identifiers
Rule ID: SV-38839r1_rule
Vulnerability ID: V-768
Group Title: GEN000480
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002238 |
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
Controls
Number | Title |
---|---|
AC-7 |
Unsuccessful Logon Attempts |