4.2 Establish a password policy for password complexity

Information

Require the use of passwords that are not easily guessed and that are difficult for password
generators to determine.

*Rationale*

ESXi uses the pam_passwdqc.so plug-in to set password strength and complexity. It is
important to use passwords that are not easily guessed and that are difficult for password
generators to determine.Note- ESXi imposes no restrictions on the root password. Password strength and
complexity rules only apply to non-root users.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform the following-

1. Login to the ESXi shell as a user with administrator privileges.
2. Open /etc./pam.d/passwd
3. Locate the following line-password requisite /lib/security/$ISA/pam_passwdqc.so retry=N
min=N0,N1,N2,N3,N44. Set N is less than or equal to 5
5. Set N0 to disabled
6. Set N1 to disabled
7. Set N2 to disabled
8. Set N3 to disabled
9. Set N4 to 14 or greaterThis above requires all passwords to be 14 or more characters long and comprised of at
least one character from four distinct character sets. Additionally, a maximum of 5 login
attempts are permitted.

Impact-
Do not create a user named ALL. Privileges associated with the name ALL might not be
available to all users in some situations. For example, if a user named ALL has
Administrator privileges, a user with ReadOnly privileges might be able to log in to the
host remotely. This is not the intended behavior.An uppercase character that begins a password does not count toward the number of
character classes used. A number that ends a password does not count toward the number
of character classes used.

Default Value-The prescribed state is the default state.

See Also

https://workbench.cisecurity.org/files/145

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(a)

Plugin: VMware

Control ID: 757803c28391f22b1cdcf24a1c385809c9fa06f27168f09a5932f630a2f4dc13