Check: OL6-00-000059
Oracle Linux 6 STIG:
OL6-00-000059
(in versions v2 r7 through v1 r13)
Title
The system must require passwords to contain at least one lower-case alphabetic character. (Cat III impact)
Discussion
Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
Check Content
To check how many lower-case characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth The "lcredit" parameter (as a negative number) will indicate how many lower-case characters are required. The DoD requires at least one lower-case character in a password. This would appear as "lcredit=-1". If the “lcredit” parameter is not found or not set to the required value, this is a finding.
Fix Text
The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lower-case letters in a password. When set to a negative number, any password will be required to contain that many lower-case characters. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "lcredit=-1" after pam_cracklib.so to require use of a lower-case character in passwords.
Additional Identifiers
Rule ID: SV-208834r793619_rule
Vulnerability ID: V-208834
Group Title: SRG-OS-000070
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000193 |
The information system enforces password complexity by the minimum number of lower case characters used. |
Controls
Number | Title |
---|---|
IA-5 (1) |
Password-Based Authentication |