The DoD states 50% of the minimum password length, which rounds up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG also applies to systems outside the DoD, which may dictate some initial/default rules.
However, 15 seems to be too high for a default parameter. Regards, -- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc. ________________________________________ From: [email protected] [[email protected]] on behalf of Shaw, Ray V CTR USARMY ARL (US) [[email protected]] Sent: Friday, July 24, 2015 02:30 PM To: scap-security-guide [[email protected]] Subject: difok value in stig-rhel7-server-upstream profile RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the following: <refine-value idref="var_password_pam_difok" selector="15" /> Should this be changed from 15 to 4? The help text indicates that the DoD requirement is 4, and other documentation seems to support this. -- Ray Shaw (Contractor, STG) Army Research Laboratory CISD, Unix Support -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
