← Back to VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide

V-256541

CAT II (Medium)

The Photon operating system must use the "pam_cracklib" module.

Rule ID

SV-256541r991587_rule

STIG

VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide

Version

V1R4

CCIs

CCI-000366

Discussion

If the operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.

Check Content

At the command line, run the following command:

# grep pam_cracklib /etc/pam.d/system-password

If the output does not return at least "password  requisite   pam_cracklib.so", this is a finding.

Fix Text

Navigate to and open:

/etc/pam.d/system-password

Add the following, replacing any existing "pam_cracklib.so" line:

password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root

Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.