Ensure the Logon Failure Delay is Set Correctly in login.defs
An XCCDF Rule
Description
To ensure the logon failure delay controlled by /etc/login.defs
is set properly,
add or correct the FAIL_DELAY
setting in /etc/login.defs
to read as follows:
FAIL_DELAY
Rationale
Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack.
- ID
- xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then
var_accounts_fail_delay='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_fail_delay" use="legacy"/>'
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-RHEL-07-010430
- NIST-800-53-AC-7(b)