File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.76-1
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 110,644 kB
  • sloc: xml: 241,883; sh: 73,777; python: 32,527; makefile: 27
file content (55 lines) | stat: -rw-r--r-- 2,234 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
documentation_complete: true

title: 'Ensure the Logon Failure Delay is Set Correctly in login.defs'

description: |-
    To ensure the logon failure delay controlled by <tt>/etc/login.defs</tt> is set properly,
    add or correct the <tt>FAIL_DELAY</tt> setting in <tt>/etc/login.defs</tt> to read as follows:
    <pre>FAIL_DELAY {{{ xccdf_value("var_accounts_fail_delay") }}}</pre>

rationale: |-
    Increasing the time between a failed authentication attempt and re-prompting to
    enter credentials helps to slow a single-threaded brute force attack.

severity: medium

identifiers:
    cce@rhel8: CCE-84037-1
    cce@rhel9: CCE-83635-3
    cce@rhel10: CCE-86822-4
    cce@sle12: CCE-83028-1
    cce@slmicro5: CCE-94093-2

references:
    cis-csc: 11,3,9
    cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
    disa: CCI-000366
    isa-62443-2009: 4.3.4.3.2,4.3.4.3.3
    isa-62443-2013: 'SR 7.6'
    iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
    nist: AC-7(b),CM-6(a)
    nist-csf: PR.IP-1
    srg: SRG-OS-000480-GPOS-00226
    stigid@ol7: OL07-00-010430
    stigid@ol8: OL08-00-020310
    stigid@rhel8: RHEL-08-020310
    stigid@sle12: SLES-12-010140

ocil_clause: 'the value of "FAIL_DELAY" is not set to "{{{ xccdf_value("var_accounts_fail_delay") }}}" or greater, or the line is commented out'

ocil: |-
    Verify {{{ full_name }}} enforces a delay of at least {{{ xccdf_value("var_accounts_fail_delay") }}} seconds between console logon prompts following a failed logon attempt with the following command:

    <pre>$ sudo grep -i "FAIL_DELAY" /etc/login.defs
    FAIL_DELAY {{{ xccdf_value("var_accounts_fail_delay") }}}</pre>

platform: package[shadow-utils]

fixtext: |-
    Configure the {{{ full_name }}} to enforce a delay of at least {{{ xccdf_value("var_accounts_fail_delay") }}} seconds between logon prompts following a failed console logon attempt.

    Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to {{{ xccdf_value("var_accounts_fail_delay") }}} or greater:

    FAIL_DELAY {{{ xccdf_value("var_accounts_fail_delay") }}}

srg_requirement: '{{{ full_name }}} must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.'