Re: difok value in stig-rhel7-server-upstream profile

Mon, 27 Jul 2015 06:47:46 -0700 

I've always thought that the week long lockouts were also silly.

15 minutes will deter pretty much anyone.

Trevor

On Mon, Jul 27, 2015 at 8:10 AM, Shaw, Ray V CTR USARMY ARL (US) <
[email protected]> wrote:

> With the other password complexity requirements, week-long lockouts after
> 3 failed attempts, and changes every 60 days, the requirement is rather
> excessive (and asking for people to not be able to remember their password,
> and we know what that means).
>
> Fortunately, we can use PKI for most things these days...except, ahem, Red
> Hat Satellite Server.
>
> --Ray
>
> -----Original Message-----
> From: [email protected] [mailto:
> [email protected]] On Behalf Of Leam Hall
> Sent: Saturday, July 25, 2015 8:00 PM
> To: SCAP Security Guide <[email protected]>
> Subject: Re: difok value in stig-rhel7-server-upstream profile
>
> No kidding. I know there are smart people at DISA, but the general output
> seems to be from people who don't actually use computers or follow their
> own rules.
>
> Leam
>
> On 07/25/15 19:56, Trevor Vaughan wrote:
> > Interesting. Not looking forward to the backlash on implementing that
> one.
> >
> > Trevor
> >
> > On Fri, Jul 24, 2015 at 2:56 PM, Shawn Wells <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> >     Unfortunately, DISA now requires that 15 of the characters differ
> >     between passwords.
> >
> >     Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91
> >
> >     Awkwardly citing the same requirement (SRG-OS-000072), of which the
> >     full text is:
> >
> >         The operating system must require the change of at least 15 of
> >         the total number of characters when passwords are changed.
> >
> >         If the operating system allows the user to consecutively reuse
> >         extensive portions of passwords, this increases the chances of
> >         password compromise by increasing the window of opportunity for
> >         attempts at guessing and brute-force attacks.
> >
> >         The number of changed characters refers to the number of changes
> >         required with respect to the total number of positions in the
> >         current password. In other words, characters may be the same
> >         within the two passwords; however, the positions of the like
> >         characters must be different.
> >
> >
> >
> >
> >
> >
> >
> >     On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote:
> >
> >         The DoD states 50% of the minimum password length, which rounds
> >         up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG
> >         also applies to systems outside the DoD, which may dictate some
> >         initial/default rules.
> >
> >         However, 15 seems to be too high for a default parameter.
> >
> >         Regards,
> >         --
> >         Paul C. Arnold
> >         IT Systems Engineer
> >         Cole Engineering Services, Inc.
> >
> >         ________________________________________
> >         From: [email protected]
> >         <mailto:[email protected]>
> >         [[email protected]
> >         <mailto:[email protected]>] on
> >         behalf of Shaw, Ray V CTR USARMY ARL (US)
> >         [[email protected] <mailto:[email protected]>]
> >         Sent: Friday, July 24, 2015 02:30 PM
> >         To: scap-security-guide
> >         ‎[[email protected]
> >         <mailto:[email protected]>]‎
> >         Subject: difok value in stig-rhel7-server-upstream profile
> >
> >         RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the
> >         following:
> >
> >         <refine-value idref="var_password_pam_difok" selector="15" />
> >
> >         Should this be changed from 15 to 4?  The help text indicates
> >         that the DoD requirement is 4, and other documentation seems to
> >         support this.
> >
> >         --
> >         Ray Shaw (Contractor, STG)
> >         Army Research Laboratory
> >         CISD, Unix Support
> >         --
> >         SCAP Security Guide mailing list
> >         [email protected]
> >         <mailto:[email protected]>
> >
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
> >         https://github.com/OpenSCAP/scap-security-guide/
> >
> >
> >     --
> >     Shawn Wells
> >     Director, Innovation Programs
> >     [email protected] <mailto:[email protected]> | 443.534.0130
> >     <tel:443.534.0130>
> >     @shawndwells
> >
> >     --
> >     SCAP Security Guide mailing list
> >     [email protected]
> >     <mailto:[email protected]>
> >     https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
> >     https://github.com/OpenSCAP/scap-security-guide/
> >
> >
> >
> >
> > --
> > Trevor Vaughan
> > Vice President, Onyx Point, Inc
> > (410) 541-6699
> >
> > -- This account not approved for unencrypted proprietary information
> > --
> >
> >
>
> --
> SCAP Security Guide mailing list
> [email protected]
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
> https://github.com/OpenSCAP/scap-security-guide/
> --
> SCAP Security Guide mailing list
> [email protected]
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
> https://github.com/OpenSCAP/scap-security-guide/
>



-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699

-- This account not approved for unencrypted proprietary information --

-- 
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/

Reply via email to