Details
An easily guessable password provides an open door to any external or internal malicious intruder. Many computer compromises occur as the result of account name and password guessing. This is generally done by someone with an automated script using repeated logon attempts until the correct account and password pair is guessed. Utilities, such as cracklib, can be used to validate passwords are not dictionary words and meet other criteria during password changes.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required.
As root, log in to the host and ensure the expected settings of the ‘min’ keyword are configured in the /etc/pam.d/passwd file.
# vi /etc/pam.d/passwd
Set the ‘N2’ password complexity field to ‘disabled’, i.e., min=disabled,disabled,disabled,disabled,14
Re-enable Lockdown Mode on the host.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.
References
- 800-53|CM-6b.
- CAT|II
- CCI|CCI-000366
- Group-ID|V-39418
- Rule-ID|SV-250574r798721_rule
- STIG-ID|GEN000790-ESXI5-000085
- STIG-Legacy|SV-51276
- STIG-Legacy|V-39418
- Vuln-ID|V-250574