-
Notifications
You must be signed in to change notification settings - Fork 670
/
rule.yml
56 lines (47 loc) · 2.2 KB
/
rule.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
documentation_complete: true
title: 'Set Password Minimum Length in login.defs'
description: |-
To specify password length requirements for new accounts, edit the file
<tt>/etc/login.defs</tt> and add or correct the following line:
<pre>PASS_MIN_LEN {{{ xccdf_value("var_accounts_password_minlen_login_defs") }}}</pre>
<br /><br />
The DoD requirement is <tt>15</tt>.
The FISMA requirement is <tt>12</tt>.
The profile requirement is
<tt>{{{ xccdf_value("var_accounts_password_minlen_login_defs") }}}</tt>.
If a program consults <tt>/etc/login.defs</tt> and also another PAM module
(such as <tt>pam_pwquality</tt>) during a password change operation, then
the most restrictive must be satisfied. See PAM section for more
information about enforcing password quality requirements.
rationale: |-
Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
search space. However, any security benefit from an onerous requirement
must be carefully weighed against usability problems, support costs, or counterproductive
behavior that may result.
severity: medium
identifiers:
cce@rhel7: CCE-82049-8
cce@rhel8: CCE-80652-1
references:
cjis: 5.6.2.1
cui: 3.5.7
nist: IA-5(f),IA-5(1)(a),CM-6(a)
nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
ospp: FMT_MOF_EXT.1
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
srg: SRG-OS-000078-GPOS-00046
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
stigid@rhel8: RHEL-08-020231
anssi: BP28(R18)
disa: CCI-000205
ocil_clause: 'it is not set to the required value'
ocil: |-
To check the minimum password length, run the command:
<pre>$ grep PASS_MIN_LEN /etc/login.defs</pre>
The DoD requirement is <tt>15</tt>.
platform: login_defs