CCI-000192

The information system enforces password complexity by the minimum number of upper case characters used.

5 rules found Severity: Medium

6 rules found Severity: Medium

2 rules found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Low

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

4 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

CCI-000192

Configure PAMs passwd Module To Implement system-auth Substack When Changing Passwords

Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session

Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters

Ensure PAM Enforces Password Requirements - Enforce for root User

Set Password Strength Minimum Uppercase Characters

Compliance Guardian must provide automated mechanisms for supporting account management functions.

If multifactor authentication is not supported and passwords must be used, the Akamai Luna Portal must enforce password complexity by requiring that at least one upper-case character be used.

If multifactor authentication is not supported and passwords must be used, the DBN-6300 must enforce password complexity by requiring that at least one upper-case character be used.

The FortiGate device must enforce password complexity by requiring that at least one uppercase character be used.

If multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one upper-case character be used.

If multifactor authentication is not supported and passwords must be used, the HP FlexFabric Switch must enforce password complexity by requiring that at least one upper-case character be used.

The HYCU server must enforce password complexity by requiring that at least one uppercase character be used.

If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one upper-case character be used.

IBM Aspera Console must enforce password complexity by requiring at least fifteen characters, with at least one upper case letter, one lower case letter, one number, and one symbol.

IBM Aspera Faspex must require password complexity features to be enabled.

IBM Aspera Shares must require password complexity features to be enabled.

The MQ Appliance network device must enforce password complexity by requiring that at least one upper-case character be used.

IBM zVM CA VM:Secure product PASSWORD user exit must be in use.

The Ivanti MobileIron Core server must enforce password complexity by requiring that at least one uppercase character be used.

MobileIron Sentry must enforce password complexity by requiring that at least one upper-case character be used.

The Manager Web app password must be configured as follows: -15 or more characters -at least one lower case letter -at least one upper case letter -at least one number -at least one special character

If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password complexity.

Nutanix AOS must enforce password complexity by requiring that at least one uppercase character be used.

Oracle WebLogic must enforce password complexity by the number of upper-case characters used.

Riverbed Optimization System (RiOS) must enforce password complexity by requiring that at least one upper-case character be used.

The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used.

If DBMS authentication using passwords is employed, MongoDB must enforce the DoD standards for password complexity and lifetime.

If passwords are used for authentication, MongoDB must implement LDAP or Kerberos for authentication to enforce the DoD standards for password complexity and lifetime.

The DBMS must support organizational requirements to enforce minimum password length.

The DBMS must support organizational requirements to prohibit password reuse for the organization-defined number of generations.

The DBMS must support organizational requirements to enforce password complexity by the number of upper-case characters used.

The DBMS must support organizational requirements to enforce password complexity by the number of lower-case characters used.

The DBMS must support organizational requirements to enforce password complexity by the number of numeric characters used.

The DBMS must support organizational requirements to enforce password complexity by the number of special characters used.

The DBMS must support organizational requirements to enforce the number of characters that get changed when passwords are changed.

Procedures for establishing temporary passwords that meet DoD password requirements for new accounts must be defined, documented, and implemented.

The DBMS must enforce password maximum lifetime restrictions.

The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.

The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.

The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character.

If DBMS authentication, using passwords, is employed, EDB Postgres Advanced Server must enforce the DoD standards for password complexity and lifetime.

If multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must enforce password complexity by requiring that at least one upper-case character be used.

DBMS authentication using passwords must be avoided.

The Cisco ASA must be configured to enforce password complexity by requiring that at least one uppercase character be used.

For accounts using password authentication, the Cisco ISE must enforce password complexity by requiring that at least one uppercase character be used.

If DBMS authentication, using passwords, is employed, EDB Postgres Advanced Server must enforce the DOD standards for password complexity and lifetime.

The F5 BIG-IP appliance must enforce password complexity by requiring that at least one uppercase character be used.

AIX must enforce password complexity by requiring that at least one upper-case character be used.

The Jamf Pro EMM local accounts must be configured with at least one uppercase character.

Sentry must enforce password complexity by requiring that at least one uppercase character be used.

MKE must be configured to integrate with an Enterprise Identity Provider.

If MarkLogic Server authentication using passwords is employed, MarkLogic Server must enforce the DOD standards for password complexity and lifetime.

The built-in Microsoft password complexity filter must be enabled.

Windows Server 2016 must have the built-in Windows password complexity policy enabled.

ONTAP must enforce password complexity by requiring that at least one uppercase character be used.

The Oracle Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.

The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.

The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character.

If Database Management System (DBMS) authentication using passwords is employed, the DBMS must enforce the DOD standards for password complexity and lifetime.

The Riverbed NetProfiler must configure the local account password to "require mixed case".

If DBMS authentication using passwords is employed, Redis Enterprise DBMS must enforce the DOD standards for password complexity and lifetime.

SLEM 5 must enforce passwords that contain at least one uppercase character.

Splunk Enterprise must enforce password complexity for the account of last resort by requiring that at least one uppercase character be used.

Splunk Enterprise must be configured to enforce password complexity by requiring that at least one uppercase character be used.

The TippingPoint SMS must enforce password complexity by requiring that at least one uppercase character be used.

The macOS system must require passwords contain a minimum of one lowercase character and one uppercase character.

The application must enforce password complexity by requiring that at least one uppercase character be used.

Ubuntu 22.04 LTS must enforce password complexity by requiring at least one uppercase character be used.

The Cisco switch must be configured to enforce password complexity by requiring that at least one uppercase character be used.

The Cisco router must be configured to enforce password complexity by requiring that at least one uppercase character be used.

The Dragos Platform must configure local password policies.

Forescout must enforce password complexity by requiring that at least one uppercase character be used.

AOS must enforce password complexity by requiring that at least one uppercase character be used.

The Juniper router must be configured to enforce password complexity by requiring that at least one uppercase character be used.

For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by setting the password change type to character sets.

For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one uppercase character be used.

If MariaDB authentication, using passwords, is employed, then MariaDB must enforce the DOD standards for password complexity.

If MariaDB authentication using passwords is employed, MariaDB must enforce the DOD standards for password lifetime.

If DBMS authentication using passwords is employed, SQL Server must enforce the DOD standards for password complexity and lifetime.