RE: difok value in stig-rhel7-server-upstream profile

Sun, 26 Jul 2015 07:30:38 -0700 

Trevor, regarding cracklib: partially, at least in my testing.



(These are for demonstation -- do not use these patterned passwords)

For example, this would be picked up as 'BAD PASSWORD: it is too 
simplistic/systematic' by cracklib (RHEL6):

3456erty#$%^ERTY



But this would not:

3467eryu#$^&ERYU





However there is a maxsequence parameter that cracklib can take that I have not 
tested, perhaps that would increase this capability.



Regards,

--
Paul C. Arnold
IT Systems Engineer
Cole Engineering Services, Inc.
________________________________
From: [email protected] 
[[email protected]] on behalf of Trevor 
Vaughan [[email protected]]
Sent: Saturday, July 25, 2015 08:22 PM
To: SCAP Security Guide
Subject: Re: difok value in stig-rhel7-server-upstream profile

Hmm...thinking about this, did cracklib ever pick up common extended keyboard 
patterns?

It seems that this could be done relatively easily mathematically based on the 
password vs keyboard layout.

If not, I'll suggest it to a couple of Universities as a programming project.

Thanks,

Trevor

On Sat, Jul 25, 2015 at 8:00 PM, Leam Hall 
<[email protected]<mailto:[email protected]>> wrote:
No kidding. I know there are smart people at DISA, but the general output seems 
to be from people who don't actually use computers or follow their own rules.

Leam

On 07/25/15 19:56, Trevor Vaughan wrote:
Interesting. Not looking forward to the backlash on implementing that one.

Trevor

On Fri, Jul 24, 2015 at 2:56 PM, Shawn Wells 
<[email protected]<mailto:[email protected]>
<mailto:[email protected]<mailto:[email protected]>>> wrote:

    Unfortunately, DISA now requires that 15 of the characters differ
    between passwords.

    Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91

    Awkwardly citing the same requirement (SRG-OS-000072), of which the
    full text is:

        The operating system must require the change of at least 15 of
        the total number of characters when passwords are changed.

        If the operating system allows the user to consecutively reuse
        extensive portions of passwords, this increases the chances of
        password compromise by increasing the window of opportunity for
        attempts at guessing and brute-force attacks.

        The number of changed characters refers to the number of changes
        required with respect to the total number of positions in the
        current password. In other words, characters may be the same
        within the two passwords; however, the positions of the like
        characters must be different.







    On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote:

        The DoD states 50% of the minimum password length, which rounds
        up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG
        also applies to systems outside the DoD, which may dictate some
        initial/default rules.

        However, 15 seems to be too high for a default parameter.

        Regards,
        --
        Paul C. Arnold
        IT Systems Engineer
        Cole Engineering Services, Inc.

        ________________________________________
        From: 
[email protected]<mailto:[email protected]>
        
<mailto:[email protected]<mailto:[email protected]>>
        
[[email protected]<mailto:[email protected]>
        
<mailto:[email protected]<mailto:[email protected]>>]
 on
        behalf of Shaw, Ray V CTR USARMY ARL (US)
        [[email protected]<mailto:[email protected]> 
<mailto:[email protected]<mailto:[email protected]>>]
        Sent: Friday, July 24, 2015 02:30 PM
        To: scap-security-guide
        
‎[[email protected]<mailto:[email protected]>
        
<mailto:[email protected]<mailto:[email protected]>>]‎
        Subject: difok value in stig-rhel7-server-upstream profile

        RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the
        following:

        <refine-value idref="var_password_pam_difok" selector="15" />

        Should this be changed from 15 to 4?  The help text indicates
        that the DoD requirement is 4, and other documentation seems to
        support this.

        --
        Ray Shaw (Contractor, STG)
        Army Research Laboratory
        CISD, Unix Support
        --
        SCAP Security Guide mailing list
        
[email protected]<mailto:[email protected]>
        
<mailto:[email protected]<mailto:[email protected]>>
        https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
        https://github.com/OpenSCAP/scap-security-guide/


    --
    Shawn Wells
    Director, Innovation Programs
    [email protected]<mailto:[email protected]> 
<mailto:[email protected]<mailto:[email protected]>> | 
443.534.0130<tel:443.534.0130>
    <tel:443.534.0130<tel:443.534.0130>>
    @shawndwells

    --
    SCAP Security Guide mailing list
    
[email protected]<mailto:[email protected]>
    
<mailto:[email protected]<mailto:[email protected]>>
    https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
    https://github.com/OpenSCAP/scap-security-guide/




--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699<tel:%28410%29%20541-6699>

-- This account not approved for unencrypted proprietary information --



--
SCAP Security Guide mailing list
[email protected]<mailto:[email protected]>
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/



--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699

-- This account not approved for unencrypted proprietary information --

-- 
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/

Reply via email to