Ensure the Logon Failure Delay is Set Correctly in login.defs

An XCCDF Rule

Details
Profiles

Description

To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:

FAIL_DELAY

Rationale

Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack.

ID: xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay
Severity: Medium
References: 11 3 9

BAI10.01 BAI10.02 BAI10.03 BAI10.05

CCI-000366

4.3.4.3.2 4.3.4.3.3

SR 7.6

A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4

AC-7(b) CM-6(a)

PR.IP-1

SRG-OS-000480-GPOS-00226
Updated: over 1 year ago