Check: GEN000480
SUSE Linux Enterprise Server v11 for System z STIG:
GEN000480
(in versions v1 r12 through v1 r9)
Title
The delay between login prompts following a failed login attempt must be at least 4 seconds. (Cat II impact)
Discussion
Enforcing a delay between successive failed login attempts increases protection against automated password guessing attacks.
Check Content
Check the value of the FAIL_DELAY variable and the ability to use it Procedure:. # grep FAIL_DELAY /etc/login.defs If the value does not exist, or is less than 4, this is a finding. Check for the use of pam_faildelay. # grep pam_faildelay /etc/pam.d/common-auth* If the pam_faildelay.so module is not listed, this is a finding.
Fix Text
Add the pam_faildelay module and set the FAIL_DELAY variable. Procedure: Edit /etc/login.defs and set the value of the FAIL_DELAY variable to 4 or more. Edit /etc/pam.d/common-auth and add a pam_faildelay entry if one does not exist, such as: auth optional pam_faildelay.so
Additional Identifiers
Rule ID: SV-44838r1_rule
Vulnerability ID: V-768
Group Title: GEN000480
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002238 |
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
Controls
| Number | Title |
|---|---|
| AC-7 |
Unsuccessful Logon Attempts |