Check: OL6-00-000058
Oracle Linux 6 STIG:
OL6-00-000058
(in versions v2 r7 through v1 r13)
Title
The system must require passwords to contain at least one special character. (Cat III impact)
Discussion
Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
Check Content
To check how many special characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth The "ocredit" parameter (as a negative number) will indicate how many special characters are required. The DoD requires at least one special character in a password. This would appear as "ocredit=-1". If the “ocredit” parameter is not found or not set to the required value, this is a finding.
Fix Text
The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords.
Additional Identifiers
Rule ID: SV-208833r793618_rule
Vulnerability ID: V-208833
Group Title: SRG-OS-000266
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001619 |
The information system enforces password complexity by the minimum number of special characters used. |
Controls
Number | Title |
---|---|
IA-5 (1) |
Password-Based Authentication |