Check: GEN000790
AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE:
GEN000790
(in versions v1 r14 through v1 r10)
Title
The system must prevent the use of dictionary words for passwords. (Cat II impact)
Discussion
An easily guessable password provides an open door to any external or internal malicious intruder. Many computer compromises occur as the result of account name and password guessing. This is generally done by someone with an automated script using repeated logon attempts until the correct account and password pair is guessed. Utilities, such as cracklib, can be used to validate that passwords are not dictionary words and meet other criteria during password changes.
Check Content
Procedure: #lsuser -a dictionlist ALL If the dictionlist is blank or not listed, the system is not checking against a dictionary of words that are not to be used for passwords. This is a finding.
Fix Text
Install the default dictionary of words from the 'bos.data' fileset with smitty or installp. # smitty installp #installp bos.data Customize or modify the dictionary in /usr/share/dict/words as necessary. #vi /usr/share/dict/words Add a dictionary list to /etc/security/user file with the chsec command. #chsec -f /etc/security/user -s default -a dictionlist=/usr/share/dict/words
Additional Identifiers
Rule ID: SV-38678r1_rule
Vulnerability ID: V-22307
Group Title: GEN000790
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000189 |
The organization employs automated tools to determine if authenticators are sufficiently strong to resist attacks intended to discover or otherwise compromise the authenticators. |
Controls
Number | Title |
---|---|
No controls are assigned to this check |