RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the following:
<refine-value idref="var_password_pam_difok" selector="15" />
Should this be changed from 15 to 4? The help text indicates that the DoD requirement is 4, and other documentation seems to support this.
-- Ray Shaw (Contractor, STG) Army Research Laboratory CISD, Unix Support
The DoD states 50% of the minimum password length, which rounds up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG also applies to systems outside the DoD, which may dictate some initial/default rules.
However, 15 seems to be too high for a default parameter.
Regards, -- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc.
________________________________________ From: scap-security-guide-bounces@lists.fedorahosted.org [scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Shaw, Ray V CTR USARMY ARL (US) [ray.v.shaw.ctr@mail.mil] Sent: Friday, July 24, 2015 02:30 PM To: scap-security-guide [scap-security-guide@lists.fedorahosted.org] Subject: difok value in stig-rhel7-server-upstream profile
RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the following:
<refine-value idref="var_password_pam_difok" selector="15" />
Should this be changed from 15 to 4? The help text indicates that the DoD requirement is 4, and other documentation seems to support this.
-- Ray Shaw (Contractor, STG) Army Research Laboratory CISD, Unix Support -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Unfortunately, DISA now requires that 15 of the characters differ between passwords.
Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91
Awkwardly citing the same requirement (SRG-OS-000072), of which the full text is:
The operating system must require the change of at least 15 of the total number of characters when passwords are changed.
If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.
The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.
On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote:
The DoD states 50% of the minimum password length, which rounds up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG also applies to systems outside the DoD, which may dictate some initial/default rules.
However, 15 seems to be too high for a default parameter.
Regards,
Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc.
From: scap-security-guide-bounces@lists.fedorahosted.org [scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Shaw, Ray V CTR USARMY ARL (US) [ray.v.shaw.ctr@mail.mil] Sent: Friday, July 24, 2015 02:30 PM To: scap-security-guide [scap-security-guide@lists.fedorahosted.org] Subject: difok value in stig-rhel7-server-upstream profile
RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the following:
<refine-value idref="var_password_pam_difok" selector="15" />
Should this be changed from 15 to 4? The help text indicates that the DoD requirement is 4, and other documentation seems to support this.
-- Ray Shaw (Contractor, STG) Army Research Laboratory CISD, Unix Support -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Interesting. Not looking forward to the backlash on implementing that one.
Trevor
On Fri, Jul 24, 2015 at 2:56 PM, Shawn Wells shawn@redhat.com wrote:
Unfortunately, DISA now requires that 15 of the characters differ between passwords.
Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91
Awkwardly citing the same requirement (SRG-OS-000072), of which the full text is:
The operating system must require the change of at least 15 of the total number of characters when passwords are changed.
If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.
The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.
On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote:
The DoD states 50% of the minimum password length, which rounds up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG also applies to systems outside the DoD, which may dictate some initial/default rules.
However, 15 seems to be too high for a default parameter.
Regards,
Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc.
From: scap-security-guide-bounces@lists.fedorahosted.org [ scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Shaw, Ray V CTR USARMY ARL (US) [ray.v.shaw.ctr@mail.mil] Sent: Friday, July 24, 2015 02:30 PM To: scap-security-guide [scap-security-guide@lists.fedorahosted.org] Subject: difok value in stig-rhel7-server-upstream profile
RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the following:
<refine-value idref="var_password_pam_difok" selector="15" />
Should this be changed from 15 to 4? The help text indicates that the DoD requirement is 4, and other documentation seems to support this.
-- Ray Shaw (Contractor, STG) Army Research Laboratory CISD, Unix Support -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- Shawn Wells Director, Innovation Programs shawn@redhat.com | 443.534.0130 @shawndwells
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
No kidding. I know there are smart people at DISA, but the general output seems to be from people who don't actually use computers or follow their own rules.
Leam
On 07/25/15 19:56, Trevor Vaughan wrote:
Interesting. Not looking forward to the backlash on implementing that one.
Trevor
On Fri, Jul 24, 2015 at 2:56 PM, Shawn Wells <shawn@redhat.com mailto:shawn@redhat.com> wrote:
Unfortunately, DISA now requires that 15 of the characters differ between passwords. Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91 Awkwardly citing the same requirement (SRG-OS-000072), of which the full text is: The operating system must require the change of at least 15 of the total number of characters when passwords are changed. If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote: The DoD states 50% of the minimum password length, which rounds up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG also applies to systems outside the DoD, which may dictate some initial/default rules. However, 15 seems to be too high for a default parameter. Regards, -- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc. ________________________________________ From: scap-security-guide-bounces@lists.fedorahosted.org <mailto:scap-security-guide-bounces@lists.fedorahosted.org> [scap-security-guide-bounces@lists.fedorahosted.org <mailto:scap-security-guide-bounces@lists.fedorahosted.org>] on behalf of Shaw, Ray V CTR USARMY ARL (US) [ray.v.shaw.ctr@mail.mil <mailto:ray.v.shaw.ctr@mail.mil>] Sent: Friday, July 24, 2015 02:30 PM To: scap-security-guide [scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org>] Subject: difok value in stig-rhel7-server-upstream profile RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the following: <refine-value idref="var_password_pam_difok" selector="15" /> Should this be changed from 15 to 4? The help text indicates that the DoD requirement is 4, and other documentation seems to support this. -- Ray Shaw (Contractor, STG) Army Research Laboratory CISD, Unix Support -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/ -- Shawn Wells Director, Innovation Programs shawn@redhat.com <mailto:shawn@redhat.com> | 443.534.0130 <tel:443.534.0130> @shawndwells -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699
-- This account not approved for unencrypted proprietary information --
Hmm...thinking about this, did cracklib ever pick up common extended keyboard patterns?
It seems that this could be done relatively easily mathematically based on the password vs keyboard layout.
If not, I'll suggest it to a couple of Universities as a programming project.
Thanks,
Trevor
On Sat, Jul 25, 2015 at 8:00 PM, Leam Hall leamhall@gmail.com wrote:
No kidding. I know there are smart people at DISA, but the general output seems to be from people who don't actually use computers or follow their own rules.
Leam
On 07/25/15 19:56, Trevor Vaughan wrote:
Interesting. Not looking forward to the backlash on implementing that one.
Trevor
On Fri, Jul 24, 2015 at 2:56 PM, Shawn Wells <shawn@redhat.com mailto:shawn@redhat.com> wrote:
Unfortunately, DISA now requires that 15 of the characters differ between passwords. Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91 Awkwardly citing the same requirement (SRG-OS-000072), of which the full text is: The operating system must require the change of at least 15 of the total number of characters when passwords are changed. If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote: The DoD states 50% of the minimum password length, which rounds up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG also applies to systems outside the DoD, which may dictate some initial/default rules. However, 15 seems to be too high for a default parameter. Regards, -- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc. ________________________________________ From: scap-security-guide-bounces@lists.fedorahosted.org <mailto:scap-security-guide-bounces@lists.fedorahosted.org> [scap-security-guide-bounces@lists.fedorahosted.org <mailto:scap-security-guide-bounces@lists.fedorahosted.org>] on behalf of Shaw, Ray V CTR USARMY ARL (US) [ray.v.shaw.ctr@mail.mil <mailto:ray.v.shaw.ctr@mail.mil>] Sent: Friday, July 24, 2015 02:30 PM To: scap-security-guide [scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org>] Subject: difok value in stig-rhel7-server-upstream profile RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the following: <refine-value idref="var_password_pam_difok" selector="15" /> Should this be changed from 15 to 4? The help text indicates that the DoD requirement is 4, and other documentation seems to support this. -- Ray Shaw (Contractor, STG) Army Research Laboratory CISD, Unix Support -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org>
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- Shawn Wells Director, Innovation Programs shawn@redhat.com <mailto:shawn@redhat.com> | 443.534.0130 <tel:443.534.0130> @shawndwells -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699
-- This account not approved for unencrypted proprietary information --
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Trevor, regarding cracklib: partially, at least in my testing.
(These are for demonstation -- do not use these patterned passwords)
For example, this would be picked up as 'BAD PASSWORD: it is too simplistic/systematic' by cracklib (RHEL6):
3456erty#$%^ERTY
But this would not:
3467eryu#$^&ERYU
However there is a maxsequence parameter that cracklib can take that I have not tested, perhaps that would increase this capability.
Regards,
-- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc. ________________________________ From: scap-security-guide-bounces@lists.fedorahosted.org [scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Trevor Vaughan [tvaughan@onyxpoint.com] Sent: Saturday, July 25, 2015 08:22 PM To: SCAP Security Guide Subject: Re: difok value in stig-rhel7-server-upstream profile
Hmm...thinking about this, did cracklib ever pick up common extended keyboard patterns?
It seems that this could be done relatively easily mathematically based on the password vs keyboard layout.
If not, I'll suggest it to a couple of Universities as a programming project.
Thanks,
Trevor
On Sat, Jul 25, 2015 at 8:00 PM, Leam Hall <leamhall@gmail.commailto:leamhall@gmail.com> wrote: No kidding. I know there are smart people at DISA, but the general output seems to be from people who don't actually use computers or follow their own rules.
Leam
On 07/25/15 19:56, Trevor Vaughan wrote: Interesting. Not looking forward to the backlash on implementing that one.
Trevor
On Fri, Jul 24, 2015 at 2:56 PM, Shawn Wells <shawn@redhat.commailto:shawn@redhat.com <mailto:shawn@redhat.commailto:shawn@redhat.com>> wrote:
Unfortunately, DISA now requires that 15 of the characters differ between passwords.
Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91
Awkwardly citing the same requirement (SRG-OS-000072), of which the full text is:
The operating system must require the change of at least 15 of the total number of characters when passwords are changed.
If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.
The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.
On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote:
The DoD states 50% of the minimum password length, which rounds up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG also applies to systems outside the DoD, which may dictate some initial/default rules.
However, 15 seems to be too high for a default parameter.
Regards, -- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc.
________________________________________ From: scap-security-guide-bounces@lists.fedorahosted.orgmailto:scap-security-guide-bounces@lists.fedorahosted.org <mailto:scap-security-guide-bounces@lists.fedorahosted.orgmailto:scap-security-guide-bounces@lists.fedorahosted.org> [scap-security-guide-bounces@lists.fedorahosted.orgmailto:scap-security-guide-bounces@lists.fedorahosted.org <mailto:scap-security-guide-bounces@lists.fedorahosted.orgmailto:scap-security-guide-bounces@lists.fedorahosted.org>] on behalf of Shaw, Ray V CTR USARMY ARL (US) [ray.v.shaw.ctr@mail.milmailto:ray.v.shaw.ctr@mail.mil <mailto:ray.v.shaw.ctr@mail.milmailto:ray.v.shaw.ctr@mail.mil>] Sent: Friday, July 24, 2015 02:30 PM To: scap-security-guide [scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org>] Subject: difok value in stig-rhel7-server-upstream profile
RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the following:
<refine-value idref="var_password_pam_difok" selector="15" />
Should this be changed from 15 to 4? The help text indicates that the DoD requirement is 4, and other documentation seems to support this.
-- Ray Shaw (Contractor, STG) Army Research Laboratory CISD, Unix Support -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- Shawn Wells Director, Innovation Programs shawn@redhat.commailto:shawn@redhat.com <mailto:shawn@redhat.commailto:shawn@redhat.com> | 443.534.0130tel:443.534.0130 <tel:443.534.0130tel:443.534.0130> @shawndwells
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699tel:%28410%29%20541-6699
-- This account not approved for unencrypted proprietary information --
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699
-- This account not approved for unencrypted proprietary information --
The issue, of course, comes in remembering these fun passwords after you create them.
Maxsequence helps some but not much with standard keyboard patterns from what I can tell.
Trevor
On Sun, Jul 26, 2015 at 10:30 AM, Arnold, Paul C CTR USARMY PEO STRI (US) < paul.c.arnold4.ctr@mail.mil> wrote:
Trevor, regarding cracklib: partially, at least in my testing.
(These are for demonstation -- do not use these patterned passwords)
For example, this would be picked up as 'BAD PASSWORD: it is too simplistic/systematic' by cracklib (RHEL6):
3456erty#$%^ERTY
But this would not:
3467eryu#$^&ERYU
However there is a maxsequence parameter that cracklib can take that I have not tested, perhaps that would increase this capability.
Regards,
Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc.
*From:* scap-security-guide-bounces@lists.fedorahosted.org [ scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Trevor Vaughan [tvaughan@onyxpoint.com] *Sent:* Saturday, July 25, 2015 08:22 PM *To:* SCAP Security Guide *Subject:* Re: difok value in stig-rhel7-server-upstream profile
Hmm...thinking about this, did cracklib ever pick up common extended keyboard patterns?
It seems that this could be done relatively easily mathematically based on the password vs keyboard layout.
If not, I'll suggest it to a couple of Universities as a programming project.
Thanks,
Trevor
On Sat, Jul 25, 2015 at 8:00 PM, Leam Hall leamhall@gmail.com wrote:
No kidding. I know there are smart people at DISA, but the general output seems to be from people who don't actually use computers or follow their own rules.
Leam
On 07/25/15 19:56, Trevor Vaughan wrote:
Interesting. Not looking forward to the backlash on implementing that one.
Trevor
On Fri, Jul 24, 2015 at 2:56 PM, Shawn Wells <shawn@redhat.com mailto:shawn@redhat.com> wrote:
Unfortunately, DISA now requires that 15 of the characters differ between passwords. Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91 Awkwardly citing the same requirement (SRG-OS-000072), of which the full text is: The operating system must require the change of at least 15 of the total number of characters when passwords are changed. If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote: The DoD states 50% of the minimum password length, which rounds up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG also applies to systems outside the DoD, which may dictate some initial/default rules. However, 15 seems to be too high for a default parameter. Regards, -- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc. ________________________________________ From: scap-security-guide-bounces@lists.fedorahosted.org <mailto:scap-security-guide-bounces@lists.fedorahosted.org> [scap-security-guide-bounces@lists.fedorahosted.org <mailto:scap-security-guide-bounces@lists.fedorahosted.org>] on behalf of Shaw, Ray V CTR USARMY ARL (US) [ray.v.shaw.ctr@mail.mil <mailto:ray.v.shaw.ctr@mail.mil>] Sent: Friday, July 24, 2015 02:30 PM To: scap-security-guide [scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org>] Subject: difok value in stig-rhel7-server-upstream profile RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the following: <refine-value idref="var_password_pam_difok" selector="15" /> Should this be changed from 15 to 4? The help text indicates that the DoD requirement is 4, and other documentation seems to support this. -- Ray Shaw (Contractor, STG) Army Research Laboratory CISD, Unix Support -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org>
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- Shawn Wells Director, Innovation Programs shawn@redhat.com <mailto:shawn@redhat.com> | 443.534.0130 <tel:443.534.0130> @shawndwells -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699
-- This account not approved for unencrypted proprietary information --
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699
-- This account not approved for unencrypted proprietary information --
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
With the other password complexity requirements, week-long lockouts after 3 failed attempts, and changes every 60 days, the requirement is rather excessive (and asking for people to not be able to remember their password, and we know what that means).
Fortunately, we can use PKI for most things these days...except, ahem, Red Hat Satellite Server.
--Ray
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Leam Hall Sent: Saturday, July 25, 2015 8:00 PM To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: Re: difok value in stig-rhel7-server-upstream profile
No kidding. I know there are smart people at DISA, but the general output seems to be from people who don't actually use computers or follow their own rules.
Leam
On 07/25/15 19:56, Trevor Vaughan wrote:
Interesting. Not looking forward to the backlash on implementing that one.
Trevor
On Fri, Jul 24, 2015 at 2:56 PM, Shawn Wells <shawn@redhat.com mailto:shawn@redhat.com> wrote:
Unfortunately, DISA now requires that 15 of the characters differ between passwords. Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91 Awkwardly citing the same requirement (SRG-OS-000072), of which the full text is: The operating system must require the change of at least 15 of the total number of characters when passwords are changed. If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote: The DoD states 50% of the minimum password length, which rounds up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG also applies to systems outside the DoD, which may dictate some initial/default rules. However, 15 seems to be too high for a default parameter. Regards, -- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc. ________________________________________ From: scap-security-guide-bounces@lists.fedorahosted.org <mailto:scap-security-guide-bounces@lists.fedorahosted.org> [scap-security-guide-bounces@lists.fedorahosted.org <mailto:scap-security-guide-bounces@lists.fedorahosted.org>] on behalf of Shaw, Ray V CTR USARMY ARL (US) [ray.v.shaw.ctr@mail.mil <mailto:ray.v.shaw.ctr@mail.mil>] Sent: Friday, July 24, 2015 02:30 PM To: scap-security-guide [scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org>] Subject: difok value in stig-rhel7-server-upstream profile RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the following: <refine-value idref="var_password_pam_difok" selector="15" /> Should this be changed from 15 to 4? The help text indicates that the DoD requirement is 4, and other documentation seems to support this. -- Ray Shaw (Contractor, STG) Army Research Laboratory CISD, Unix Support -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/ -- Shawn Wells Director, Innovation Programs shawn@redhat.com <mailto:shawn@redhat.com> | 443.534.0130 <tel:443.534.0130> @shawndwells -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699
-- This account not approved for unencrypted proprietary information
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
I've always thought that the week long lockouts were also silly.
15 minutes will deter pretty much anyone.
Trevor
On Mon, Jul 27, 2015 at 8:10 AM, Shaw, Ray V CTR USARMY ARL (US) < ray.v.shaw.ctr@mail.mil> wrote:
With the other password complexity requirements, week-long lockouts after 3 failed attempts, and changes every 60 days, the requirement is rather excessive (and asking for people to not be able to remember their password, and we know what that means).
Fortunately, we can use PKI for most things these days...except, ahem, Red Hat Satellite Server.
--Ray
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto: scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Leam Hall Sent: Saturday, July 25, 2015 8:00 PM To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: Re: difok value in stig-rhel7-server-upstream profile
No kidding. I know there are smart people at DISA, but the general output seems to be from people who don't actually use computers or follow their own rules.
Leam
On 07/25/15 19:56, Trevor Vaughan wrote:
Interesting. Not looking forward to the backlash on implementing that
one.
Trevor
On Fri, Jul 24, 2015 at 2:56 PM, Shawn Wells <shawn@redhat.com mailto:shawn@redhat.com> wrote:
Unfortunately, DISA now requires that 15 of the characters differ between passwords. Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91 Awkwardly citing the same requirement (SRG-OS-000072), of which the full text is: The operating system must require the change of at least 15 of the total number of characters when passwords are changed. If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote: The DoD states 50% of the minimum password length, which rounds up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG also applies to systems outside the DoD, which may dictate some initial/default rules. However, 15 seems to be too high for a default parameter. Regards, -- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc. ________________________________________ From: scap-security-guide-bounces@lists.fedorahosted.org <mailto:scap-security-guide-bounces@lists.fedorahosted.org> [scap-security-guide-bounces@lists.fedorahosted.org <mailto:scap-security-guide-bounces@lists.fedorahosted.org>] on behalf of Shaw, Ray V CTR USARMY ARL (US) [ray.v.shaw.ctr@mail.mil <mailto:ray.v.shaw.ctr@mail.mil>] Sent: Friday, July 24, 2015 02:30 PM To: scap-security-guide [scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org>] Subject: difok value in stig-rhel7-server-upstream profile RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the following: <refine-value idref="var_password_pam_difok" selector="15" /> Should this be changed from 15 to 4? The help text indicates that the DoD requirement is 4, and other documentation seems to support this. -- Ray Shaw (Contractor, STG) Army Research Laboratory CISD, Unix Support -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org>
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/ -- Shawn Wells Director, Innovation Programs shawn@redhat.com <mailto:shawn@redhat.com> | 443.534.0130 <tel:443.534.0130> @shawndwells -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699
-- This account not approved for unencrypted proprietary information
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
P { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px }
I concur, Trevor.
Shawn, et al: The RHEL7_STIG_REQUIREMENTS.xlsx spreadsheet on the SSG wiki (https://github.com/OpenSCAP/scap-security-guide/wiki/RHEL7-STIG-Settings-Rev...) has deltas compared to the DoD CIO resource for CCIs. After a quick comparission, it appears the only delta that affects security posture is CCI-000195, with the rest being title differences (ISSM, ISSO, SCA, etc) or deprecated/re-numbered CCIs.
Regardless, I will be sure to reference the XLSX when making contributions in the future.
Regards,
-- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc.
From: scap-security-guide-bounces@lists.fedorahosted.org [scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Trevor Vaughan [tvaughan@onyxpoint.com] Sent: Saturday, July 25, 2015 07:56 PM To: SCAP Security Guide Subject: Re: difok value in stig-rhel7-server-upstream profile
Interesting. Not looking forward to the backlash on implementing that one.
Trevor
On Fri, Jul 24, 2015 at 2:56 PM, Shawn Wells shawn@redhat.com wrote:
Unfortunately, DISA now requires that 15 of the characters differ between passwords.
Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91
Awkwardly citing the same requirement (SRG-OS-000072), of which the full text is:
The operating system must require the change of at least 15 of the total number of characters when passwords are changed.
If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.
The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.
On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote:
The DoD states 50% of the minimum password length, which rounds up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG also applies to systems outside the DoD, which may dictate some initial/default rules.
However, 15 seems to be too high for a default parameter.
Regards, -- Paul C. Arnold IT Systems Engineer Cole Engineering Services, Inc.
________________________________________ From: scap-security-guide-bounces@lists.fedorahosted.org [scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Shaw, Ray V CTR USARMY ARL (US) [ray.v.shaw.ctr@mail.mil] Sent: Friday, July 24, 2015 02:30 PM To: scap-security-guide ?[scap-security-guide@lists.fedorahosted.org]? Subject: difok value in stig-rhel7-server-upstream profile
RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the following:
<refine-value idref="var_password_pam_difok" selector="15" />
Should this be changed from 15 to 4? The help text indicates that the DoD requirement is 4, and other documentation seems to support this.
-- Ray Shaw (Contractor, STG) Army Research Laboratory CISD, Unix Support -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
scap-security-guide@lists.fedorahosted.org