In addition to the changes I made (outlined just below), I noticed that there is no rule for the minlen parameter for cracklib. Should I add a new rule, modeled on its neighbors?
I'm open to wording corrections. I noticed that the latest draft STIG is also incorrect with regards to maxrepeat (it shares identical wording).
- Maura Dailey
Maura Dailey (1): Some corrections to the PAM cracklib guidance as follows: corrected pam_cracklib.so line to include all discussed parameters and edited them to contain plausible values (ucredit was set to 0 for some reason), corrected maxrepeat description to match other rules (it incorrectly suggested that a brand new line be inserted, and also gave an incorrect line insertion location as it referred to lines that do not exist by default), and I added a suggestion to add cracklib line if one does not exist
RHEL6/input/system/accounts/pam.xml | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-)
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil --- RHEL6/input/system/accounts/pam.xml | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index 98dd568..f754743 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -107,7 +107,8 @@ character, lowercase character, digit, and other (special) character, locate the following line in <tt>/etc/pam.d/system-auth</tt>: <pre>password requisite pam_cracklib.so try_first_pass retry=3</pre> and then alter it to read: -<pre>password required pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0</pre> +<pre>password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4</pre> +If no such line exists, add one as the first line of the password section in <tt>/etc/pam.d/system-auth</tt>. The arguments can be modified to ensure compliance with your organization's security policy. Discussion of each parameter follows. </description> @@ -250,14 +251,14 @@ is different from account lockout, which is provided by the pam_faillock module. <Rule id="password_require_consecrepeat"> <title>Set Password to Maximum of Three Consecutive Repeating Characters</title> <description>The pam_cracklib module's <tt>maxrepeat</tt> parameter controls requirements for -consecutive repeating characters. Edit the <tt>/etc/pam.d/system-auth</tt> file to include the following -line prior to the <tt>password include system-auth</tt> line: -<pre>password required pam_cracklib.so maxrepeat=3</pre> +consecutive repeating characters. When set to a positive number, it will reject passwords +which contain more than that number of consecutive characters. Add <tt>maxrepeat=3</tt> +after pam_cracklib.so to prevent a run of four or more identical characters. </description> <ocil clause="maxrepeat is not found or not set to the required value"> To check the maximum value for consecutive repeating characters, run the following command: <pre>$ grep pam_cracklib /etc/pam.d/system-auth</pre> -Look for the value of the <tt>maxrepeat</tt> parameter. The DoD requirement is 3. +Look for the value of the <tt>maxrepeat</tt> parameter. The DoD requirement is 3. </ocil> <rationale> Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
Yes -- please push these corrections. It should eventually get picked up in a STIG update, too.
Is the minlen needed here at all, or is the setting in login.defs (discussed elsewhere in the guide) adequate?
On 06/18/2013 04:31 PM, Maura Dailey wrote:
In addition to the changes I made (outlined just below), I noticed that there is no rule for the minlen parameter for cracklib. Should I add a new rule, modeled on its neighbors?
I'm open to wording corrections. I noticed that the latest draft STIG is also incorrect with regards to maxrepeat (it shares identical wording).
- Maura Dailey
Maura Dailey (1): Some corrections to the PAM cracklib guidance as follows: corrected pam_cracklib.so line to include all discussed parameters and edited them to contain plausible values (ucredit was set to 0 for some reason), corrected maxrepeat description to match other rules (it incorrectly suggested that a brand new line be inserted, and also gave an incorrect line insertion location as it referred to lines that do not exist by default), and I added a suggestion to add cracklib line if one does not exist
RHEL6/input/system/accounts/pam.xml | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-)
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
It's my understanding that the setting in login.defs is for local system accounts. The advantage of a separate setting for pam_cracklib is that it will apply to remote accounts stored in LDAP, for example.
On 06/24/2013 01:26 PM, Jeffrey Blank wrote:
Yes -- please push these corrections. It should eventually get picked up in a STIG update, too.
Is the minlen needed here at all, or is the setting in login.defs (discussed elsewhere in the guide) adequate?
On 06/18/2013 04:31 PM, Maura Dailey wrote:
In addition to the changes I made (outlined just below), I noticed that there is no rule for the minlen parameter for cracklib. Should I add a new rule, modeled on its neighbors?
I'm open to wording corrections. I noticed that the latest draft STIG is also incorrect with regards to maxrepeat (it shares identical wording).
- Maura Dailey
Maura Dailey (1): Some corrections to the PAM cracklib guidance as follows: corrected pam_cracklib.so line to include all discussed parameters and edited them to contain plausible values (ucredit was set to 0 for some reason), corrected maxrepeat description to match other rules (it incorrectly suggested that a brand new line be inserted, and also gave an incorrect line insertion location as it referred to lines that do not exist by default), and I added a suggestion to add cracklib line if one does not exist
RHEL6/input/system/accounts/pam.xml | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-)
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Maura Dailey