This topic tells you how STIG hardening helps you limit account access and defines STIG compliant passwords.
How STIG Limits Account Access
The STIG hardening rpm helps to lock down information, systems, and software, which might otherwise be vulnerable to a malicious computer attack by limiting account access to a system. For example, the STIG rpm:
- Ensures that the account password has a length, complexity, expiration period, and lockout period that are in accordance with DISA best practices.
- Applies auditing and logging of user actions on the host.
Caution: After you run the STIG hardening rpm, the host is converted to Coordinated Universal Time (UTC).
STIG Compliant Passwords
To be STIG compliant, your organization must implement policies that ensure strong passwords.
- Must change user passwords at least every 60 days.
- Must not reuse the last 24 passwords when you reset them.
- Must use SHA-2 family of algorithms or FIPS 140-2 approved algorithms.
- Must employ cryptographic hashes for passwords for the SHA-2 family of algorithms or FIPS 140-2 approved successors. If your organization employs unapproved algorithms, this may result in weak password hashes that are more vulnerable to being compromised.
- Must be 14 characters long.
- Must contain at least one of each of the following characters:
- At least one lower case letter.
- At least one upper case letter.
- At least one number.
- At least one other (non-alphanumeric) character.
- Must not have more than three consecutive characters.
- Must have at least five different characters different from the previous password.
The following password is an example of a STIG compliant password: