I had noticed that the RHEL6 SSG and RHEL6 STIG both require checking
/etc/login.defs for the password minimum length parameter 'PASS_MIN_LEN'.
This differs from the RHEL5 STIG in which it requires it being configured via
the 'minlen' parameter for cracklib.so within /etc/pam.d/system-auth.
Furthermore, the RHEL5 manpage indicates the enforcement of /etc/login.defs, as
it relates to passwords, as being deprecated. However, this is not indicated in
the same manpage in RHEL6.
"Much of the functionality that used to be provided by the shadow password
suite is now handled by PAM. Thus, /etc/login.defs is no longer used by
programs such as: login(1), passwd(1), su(1). Please refer to the corresponding
PAM configuration files instead."
So I decided to test this to see if RHEL6 is actually enforcing the
'PASS_MIN_LEN' parameter in /etc/login.defs, and it is not. I have it set to 14
and I was able to configure a password with 12 characters.
So shouldn't this be changed to reflect how this is configured in RHEL5, or am
I missing something?
Best regards,
Trey Henefield, CISSP
Senior IAVA Engineer
Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA
[email protected]
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450
www.ultra-ats.com
Disclaimer
The information contained in this communication from
[email protected] sent at 2014-02-26 10:22:15 is confidential and
may be legally privileged.
It is intended solely for use by [email protected] and
others authorized to receive it. If you are not
[email protected] you are hereby notified that
any disclosure, copying, distribution or taking action in reliance of the
contents of this information is strictly prohibited and may be unlawful.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
