Check: GEN000480
HP-UX 11.31 STIG:
GEN000480
(in versions v1 r19 through v1 r13)
Title
The delay between login prompts following a failed login attempt must be at least 4 seconds. (Cat II impact)
Discussion
Enforcing a delay between consecutive failed login attempts increases protection against automated password guessing attacks.
Check Content
For Trusted Mode: Check the t_logdelay setting. # more /tcb/files/auth/system/default Verify the value of the t_logdelay variable. If the value is less than 4, this is a finding. For SMSE: By default, PAM executes a built-in, 3 second standard delay if user authentication fails. This delay cannot be extended. The “nodelay” parameter disables the built-in delay. Ensure that the “nodelay” parameter is not found in the /etc/pam.conf file. The HP-SMSE environment does not meet the failed authentication 4 second minimum delay requirement. This check will always result in a finding.
Fix Text
For Trusted Mode: Use the SAM/SMH interface to ensure that the t_logdelay setting is 4. For SMSE: There is no fix, however, there are attack mitigations to minimize risk (see mitigations).
Additional Identifiers
Rule ID: SV-38446r3_rule
Vulnerability ID: V-768
Group Title: GEN000480
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002238 |
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
Controls
| Number | Title |
|---|---|
| AC-7 |
Unsuccessful Logon Attempts |