{"description": "To ensure the logon failure delay controlled by <tt>/etc/login.defs</tt> is set properly,\nadd or correct the <tt>FAIL_DELAY</tt> setting in <tt>/etc/login.defs</tt> to read as follows:\n<pre>FAIL_DELAY <sub idref=\"var_accounts_fail_delay\" /></pre>", "rationale": "Increasing the time between a failed authentication attempt and re-prompting to\nenter credentials helps to slow a single-threaded brute force attack.", "severity": "medium", "references": {"cis-csc": ["11", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nist": ["AC-7(b)", "CM-6(a)"], "nist-csf": ["PR.IP-1"], "srg": ["SRG-OS-000480-GPOS-00226"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the value of \"FAIL_DELAY\" is not set to \"<sub idref=\"var_accounts_fail_delay\" />\" or greater, or the line is commented out", "ocil": "Verify Ubuntu 22.04 enforces a delay of at least <sub idref=\"var_accounts_fail_delay\" /> seconds between console logon prompts following a failed logon attempt with the following command:\n\n<pre>$ sudo grep -i \"FAIL_DELAY\" /etc/login.defs\nFAIL_DELAY <sub idref=\"var_accounts_fail_delay\" /></pre>", "oval_external_content": null, "fixtext": "Configure the Ubuntu 22.04 to enforce a delay of at least <sub idref=\"var_accounts_fail_delay\" /> seconds between logon prompts following a failed console logon attempt.\n\nModify the \"/etc/login.defs\" file to set the \"FAIL_DELAY\" parameter to <sub idref=\"var_accounts_fail_delay\" /> or greater:\n\nFAIL_DELAY <sub idref=\"var_accounts_fail_delay\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.", "vuldiscussion": "Increasing the time between a failed authentication attempt and re-prompting to\nenter credentials helps to slow a single-threaded brute force attack.", "checktext": "Verify Ubuntu 22.04 enforces a delay of at least four seconds between console logon prompts following a failed logon attempt with the following command:\n\n$ grep -i fail_delay /etc/login.defs\n\nFAIL_DELAY 4\n\nIf the value of \"FAIL_DELAY\" is not set to \"4\" or greater, or the line is commented out, this is a finding.", "fixtext": "Configure the Ubuntu 22.04 to enforce a delay of at least 4 seconds between logon prompts following a failed console logon attempt.\n\nModify the \"/etc/login.defs\" file to set the \"FAIL_DELAY\" parameter to 4 or greater:\n\nFAIL_DELAY 4"}}, "platform": "package[shadow-utils] and system_with_kernel", "platforms": ["package[shadow-utils] and system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_shadow-utils_and_system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure the Logon Failure Delay is Set Correctly in login.defs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml", "template": null}