UCF STIG Viewer Logo

The Photon operating system must enforce password complexity on the root account.


Overview

Finding ID Version Rule ID IA Controls Severity
V-239188 PHTN-67-000117 SV-239188r816676_rule Medium
Description
Password complexity rules must apply to all accounts on the system, including root. Without specifying the enforce_for_root flag, pam_cracklib does not apply complexity rules to the root user. While root users can find ways around this requirement, given its superuser power, it is necessary to attempt to force compliance.
STIG Date
VMware vSphere 6.7 Photon OS Security Technical Implementation Guide 2022-06-17

Details

Check Text ( C-42399r675370_chk )
At the command line, execute the following command:

# grep pam_cracklib /etc/pam.d/system-password|grep --color=always "enforce_for_root"

Expected result:

password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root

If the output does not match the expected result, this is a finding.
Fix Text (F-42358r816675_fix)
Open /etc/applmgmt/appliance/system-password with a text editor.

Comment out any existing "pam_cracklib.so" line and add the following:

password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root

Save and close.