P { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px }
I concur, Trevor. Shawn, et al: The RHEL7_STIG_REQUIREMENTS.xlsx spreadsheet on the SSG wiki (https://github.com/OpenSCAP/scap-security-guide/wiki/RHEL7-STIG-Settings-Review) has deltas compared to the DoD CIO resource for CCIs. After a quick comparission, it appears the only delta that affects security posture is CCI-000195, with the rest being title differences (ISSM, ISSO, SCA, etc) or deprecated/re-numbered CCIs. Regardless, I will be sure to reference the XLSX when making contributions in the future. Regards, -- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc. From: [email protected] [[email protected]] on behalf of Trevor Vaughan [[email protected]] Sent: Saturday, July 25, 2015 07:56 PM To: SCAP Security Guide Subject: Re: difok value in stig-rhel7-server-upstream profile Interesting. Not looking forward to the backlash on implementing that one. Trevor On Fri, Jul 24, 2015 at 2:56 PM, Shawn Wells <[email protected]> wrote: Unfortunately, DISA now requires that 15 of the characters differ between passwords. Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91 Awkwardly citing the same requirement (SRG-OS-000072), of which the full text is: The operating system must require the change of at least 15 of the total number of characters when passwords are changed. If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote: The DoD states 50% of the minimum password length, which rounds up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG also applies to systems outside the DoD, which may dictate some initial/default rules. However, 15 seems to be too high for a default parameter. Regards, -- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc. ________________________________________ From: [email protected] [[email protected]] on behalf of Shaw, Ray V CTR USARMY ARL (US) [[email protected]] Sent: Friday, July 24, 2015 02:30 PM To: scap-security-guide ?[[email protected]]? Subject: difok value in stig-rhel7-server-upstream profile RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the following: <refine-value idref="var_password_pam_difok" selector="15" /> Should this be changed from 15 to 4? The help text indicates that the DoD requirement is 4, and other documentation seems to support this. -- Ray Shaw (Contractor, STG) Army Research Laboratory CISD, Unix Support -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/ -- Shawn Wells Director, Innovation Programs [email protected] | 443.534.0130 @shawndwells -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/ -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 -- This account not approved for unencrypted proprietary information --
smime.p7s
Description: S/MIME cryptographic signature
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
