CCI-000195

The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed.

4 rules found Severity: Medium

6 rules found Severity: Medium

2 rules found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

CCI-000195

Ensure PAM Enforces Password Requirements - Minimum Different Characters

Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class

Set Password Maximum Consecutive Repeating Characters

Ensure PAM Enforces Password Requirements - Minimum Different Categories

Ensure PAM Enforces Password Requirements - Enforce for root User

Set Password Strength Minimum Different Characters

Compliance Guardian must provide automated mechanisms for supporting account management functions.

If multifactor authentication is not supported and passwords must be used, the CA API Gateway must require that when a password is changed, the characters are changed in at least 8 of the positions within the password.

The FortiGate device must require that when a password is changed, the characters are changed in at least eight of the positions within the password.

The HYCU server must require that when a password is changed, the characters are changed in at least eight of the positions within the password.

IBM zVM CA VM:Secure product PASSWORD user exit must be in use.

If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password complexity.

Nutanix AOS must require the change of at least 50 percent of the total number of characters when passwords are changed.

Nutanix AOS must require the change of at least four character classes when passwords are changed.

Nutanix AOS must require the maximum number of repeating characters be limited to three when passwords are changed.

Nutanix AOS must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.

Riverbed Optimization System (RiOS) must require that when a password is changed, the characters are changed in at least 15 of the positions within the password.

Innoslate must use multifactor authentication for network access to privileged and non-privileged accounts.

The Ubuntu operating system must require the change of at least 8 characters when passwords are changed.

The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed.

The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed.

The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters.

The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.

If multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must require that when a password is changed, the characters are changed in at least eight (8) of the positions within the password.

Apple iOS/iPadOS 17 must be configured to not allow passwords that include more than four repeating or sequential characters.

The Cisco ASA must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password.

The F5 BIG-IP appliance must require that when a password is changed, the characters are changed in at least eight of the positions within the password.

AIX must require the change of at least 50% of the total number of characters when passwords are changed.

The Juniper EX switch must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password.

MKE must be configured to integrate with an Enterprise Identity Provider.

The Oracle Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed.

The Oracle Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed.

The Oracle Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters.

The Oracle Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.

The Riverbed NetProfiler must be configured to enforce a minimum 15-character password length.

SLEM 5 must require the change of at least eight of the total number of characters when passwords are changed.

Samsung Android must be configured to not allow passwords that include more than four repeating or sequential characters.

The application must require the change of at least eight of the total number of characters when passwords are changed.

Ubuntu 22.04 LTS must require the change of at least eight characters when passwords are changed.

The Cisco switch must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password.

The Cisco router must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password.

Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.

Forescout must require that when a password is changed, the characters are changed in at least eight of the positions within the password.

AOS must require that when a password is changed, the characters are changed in at least eight of the positions within the password.

The DBMS must support organizational requirements to enforce the number of characters that get changed when passwords are changed.

Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.

OL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.

OL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.

OL 8 must require the change of at least four character classes when passwords are changed.

OL 8 must require the change of at least eight characters when passwords are changed.

OpenShift must use FIPS validated LDAP or OpenIDConnect.

If multifactor authentication is not available and passwords must be used, the Palo Alto Networks security platform must require that when a password is changed, the characters are changed in at least 8 of the positions within the password.

RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.

RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.

RHEL 8 must require the change of at least four character classes when passwords are changed.

RHEL 8 must require the change of at least 8 characters when passwords are changed.

RHEL 9 must enforce password complexity rules for the root account.

RHEL 9 must require the change of at least eight characters when passwords are changed.

RHEL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.

RHEL 9 must require the maximum number of repeating characters be limited to three when passwords are changed.

RHEL 9 must require the change of at least four character classes when passwords are changed.

The SUSE operating system must require the change of at least eight (8) of the total number of characters when passwords are changed.

The SUSE operating system must require the change of at least eight of the total number of characters when passwords are changed.

The system must require at least eight characters be changed between the old and new passwords during a password change.

The NSX Manager must require that when a password is changed, the characters are changed in at least eight of the positions within the password.

The ESXi host must be configured with a sufficiently complex password policy.

The ESXi host must enforce password complexity by configuring a password quality policy.

The Photon operating system must require that new passwords are at least four characters different from the old password.

The Photon operating system must require the change of at least eight characters when passwords are changed.

Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.