← Rules Catalog
mediumaccess-controlverified rollback-safe

Enforce delay after failed logon attempt

pam-faildelay · RHEL ≥ 8 · 1 impl

Description

The pam_faildelay.so module must be configured with a delay of at least 4 seconds (4000000 microseconds) between logon prompts following a failed logon attempt.

Rationale

Inserting a delay after a failed logon attempt limits the rate of brute-force attacks. A minimum 4-second delay significantly slows automated attack tools.

Check → Remediate

Checkconfig_value
delimiter:
path:
/etc/login.defs
key:
FAIL_DELAY
expected:
4
comparator:
>=
Remediateconfig_set
path:
/etc/login.defs
key:
FAIL_DELAY
value:
4
separator:

Framework references

STIG

V-258071 / RHEL-09-412050V-230378V-281179 / RHEL-10-600200

NIST 800-53

AC-7

Live verification

rhel10:checkrhel8:checkrhel9:check
#pam#authentication#faildelay#brute-force