Thanks for the response Steve. That is what I had figured.
But because both the RHEL6 SSG and RHEL6 STIG require this functionality to be
configured only in /etc/login.defs as opposed to /etc/pam.d/system-auth, it was
questionable.
While system certifications simply require checking that a system is configured
in accordance with a published STIG, DSS will actually check to see that the
intended requirements are actually enforced (i.e. actually attempt a
non-compliant password as opposed to checking for applied settings).
So if we are all in agreement, could the SSG check and fix for this please be
changed to include the setting that gets enforced (minlen=14 in
/etc/pam.d/system-auth)?
Thanks!
Best regards,
Trey Henefield, CISSP
Senior IAVA Engineer
Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA
[email protected]
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450
www.ultra-ats.com
-----Original Message-----
From: Steve Grubb [mailto:[email protected]]
Sent: Thursday, March 20, 2014 7:59 AM
To: [email protected]
Cc: Trey Henefield
Subject: Re: Minimum Password Length ...
On Thursday, March 20, 2014 07:28:34 AM Trey Henefield wrote:
> Nobody has seemed to respond to this. But this is an issue.
>
> In /etc/login.defs, I have PASS_MIN_LEN set to 14, yet as a user, I
> can set the following password 56tyghbn%^TY which only has 12
> characters via the passwd command.
In our common criteria setup, we have annotated the login.defs file with the
following:
# The evaluated configuration constraints are:
# PASS_MAX_DAYS MAY be changed, must be <= 60 # PASS_MAX_DAYS MAY be changed, 0
< PASS_MIN_DAYS < PASS_MAX_DAYS # PASS_MIN_LEN has no effect in the evaluated
configuration # PASS_WARN_AGE MAY be changed
Note...has no effect...
The intended way can be seen in system-auth:
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
Of these, cracklib is responsible for enforcing password policy. Checking its
man page, it has something called minlen. Looking at the RHEL5 USGCB settings,
this is in fact how it's set:
sed -i "/pam_cracklib.so/s/retry=3/retry=3 minlen=12 dcredit=-1 ucredit=-1
ocredit=-1 lcredit=-1 difok=3/" /etc/pam.d/system-auth
So, to have 14, alter the above settings to correct it.
-Steve
Disclaimer
The information contained in this communication from
[email protected] sent at 2014-03-20 09:09:38 is confidential and
may be legally privileged.
It is intended solely for use by [email protected] and
others authorized to receive it. If you are not
[email protected] you are hereby notified that
any disclosure, copying, distribution or taking action in reliance of the
contents of this information is strictly prohibited and may be unlawful.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
