Information
The SLEEPTIME variable in the /etc/default/login file controls the number of seconds to wait before printing the 'login incorrect' message when a bad password is provided. The default value for SLEEPTIME is 4 seconds.
Rationale:
As an immediate return of an error message, coupled with the capability to try again may facilitate automatic and rapid-fire brute-force password attacks by a malicious user, this delay time should be set as appropriate to the needs of the user.
Solution
Perform the following to implement the recommended state:
# cd /etc/default
# cp login login.orig
# awk '/SLEEPTIME=/ { $1 = 'SLEEPTIME=4' } { print }' login > login.CIS
# mv login.CIS login
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1
Control ID: c7c332d968b4f4ac430b9a1403651460c54a754851ce015e39dc57277df5b421