SV-100221r1_rule
V-89571
SRG-OS-000072-GPOS-00040
VRAU-SL-000360
CAT I
10
If "difok" was not set at all in /etc/pam.d/common-password-vmware.local then run the following command:
# sed -i '/pam_cracklib.so/ s/$/ difok-8/' /etc/pam.d/common-password-vmware.local
If "difok" was set incorrectly then run the following command to set it to "8":
# sed -i '/pam_cracklib.so/ s/difok=./difok=8/' /etc/pam.d/common-password-vmware.local
Check that at least eight characters need to be changed between old and new passwords during a password change by running the following command:
# grep pam_cracklib /etc/pam.d/common-password-vmware.local
The "difok" parameter indicates how many characters must be different. The DoD requires at least eight characters to be different during a password change. This would appear as "difok=8". If difok is not found or not set to at least "8", this is a finding.
Expected Result:
password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=8 retry=3
V-89571
False
VRAU-SL-000360
Check that at least eight characters need to be changed between old and new passwords during a password change by running the following command:
# grep pam_cracklib /etc/pam.d/common-password-vmware.local
The "difok" parameter indicates how many characters must be different. The DoD requires at least eight characters to be different during a password change. This would appear as "difok=8". If difok is not found or not set to at least "8", this is a finding.
Expected Result:
password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=8 retry=3
M
3459