The operating system must enforce maximum password lifetime restrictions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-OS-000076-ESXI5-PF | SRG-OS-000076-ESXI5-PF | SRG-OS-000076-ESXI5-PF_rule | Medium |
| Description |
|---|
| Passwords need to be changed at specific policy based intervals. Any password no matter how complex can eventually be cracked. One method of minimizing this risk is to use complex passwords and periodically change them. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that system passwords could be compromised. Permanent finding - Lockdown mode (required) limits access via the vpxuser proxy. The proxy's password is 32 (randomly selected) characters, SHA1 encrypted, not configurable, and changed every 30 days "or" sooner when/if a new host is configured/controlled by the vCenter Server. This password is obfuscated on vCenter. |
| STIG | Date |
|---|---|
| VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Details
| Check Text ( C-SRG-OS-000076-ESXI5-PF_chk ) |
|---|
| ESXi does not support this requirement. This is a permanent finding. |
| Fix Text (F-SRG-OS-000076-ESXI5-PF_fix) |
|---|
| This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented but this finding cannot be considered fixed. |