Before you configure your Security Analytics deployment for STIG hardening, you need to know how:
- STIG hardening helps you limit account access.
- To define STIG compliant passwords.
How STIG Limits Account Access
The STIG hardening rpm helps to lock down information, systems, and software, which might otherwise be vulnerable to a malicious computer attack by limiting account access to a system. For example, the STIG script:
- Ensures that the account password has a length, complexity, expiration period, and lockout period that are in accordance with DISA best practices.
- Applies auditing and logging of user actions on the host.
STIG Compliant Passwords
To be STIG compliant, your organization must implement policies that ensure strong passwords.
- Must change user passwords at least every 60 days.
- Must not reuse the last 24 passwords when you reset them.
- Must use SHA-2 family of algorithms or FIPS 140-2 approved algorithms.
- Must employ cryptographic hashes for passwords for the SHA-2 family of algorithms or FIPS 140-2 approved successors. If your organization employs unapproved algorithms, this may result in weak password hashes that are more vulnerable to being compromised.
- Must be 14 characters long.
- Must contain at least one of each of the following characters:
- At least one lower case letter.
- At least one upper case letter.
- At least one number.
- At least one other (non-alphanumeric) character.
- Must not have more than three consecutive characters.
- Must have at least five different characters different from the previous password.
The following password is an example of a STIG compliant password: