Skip to content

Enforce Delay After Failed Logon Attempts

An XCCDF Rule

Description

To configure the system to introduce a delay after failed logon attempts, add or correct the pam_faildelay settings in /etc/pam.d/common-auth to make sure its delay parameter is at least or greater. For example:

auth required pam_faildelay.so delay=
         

Rationale

Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.

ID
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-94092-4
  - DISA-STIG-SLEM-05-412025

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

var_password_pam_delay='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_delay" use="legacy"/>'