Detections
Analytics
GEN000480 - The delay between login prompts following a failed login attempt must be at least 4 seconds - '/etc/pam.d/system-auth-local'
Information
Enforcing a delay between successive failed login attempts increases protection against automated password guessing attacks.Solution
Add the pam_faildelay module and set the FAIL_DELAY variable.Procedure:
Edit /etc/login.defs and set the value of the FAIL_DELAY variable to 4 or more.
The default link /etc/pam.d/system-auth points to /etc/pam.d/system-auth-ac which is the file maintained by the authconfig utility. In order to add pam options other than those available via the utility create or modify /etc/pam.d/system-auth-local with the options and including system-auth-ac. For example:
auth required pam_access.so
auth optional pam_faildelay.so delay=4000000
auth include system-auth-ac
account include system-auth-ac
password include system-auth-ac
session include system-auth-ac
Once system-auth-local is written ensure the /etc/pam.d/system-auth points to system-auth-local. This is necessary because authconfig writes directly to system-auth-ac so any manual changes made will be lost if authconfig is run.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_5_V2R1_STIG.zip
Item Details
Audit Name: DISA STIG for Oracle Linux 5 v2r1
Category: ACCESS CONTROL
References: 800-53|AC-7b., CAT|II, CCI|CCI-002238, Rule-ID|SV-218219r603259_rule, STIG-ID|GEN000480, STIG-Legacy|SV-63391, STIG-Legacy|V-768, Vuln-ID|V-218219
Plugin: Unix
Control ID: b629eba176e238aca4a770a06578f8a883f1fdf1cd4a386b6d212a40d5c6efba