The Photon operating system must prevent the use of dictionary words for passwords.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-258853	SRG-OS-000480-GPOS-00225	PHTN-40-000184	SV-258853r991587_rule	2024-07-11	2

Description
If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.

ℹ️ Check
At the command line, run the following command to verify passwords do not match dictionary words: # grep '^password.*pam_pwquality.so' /etc/pam.d/system-password Example result: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 If the "dictcheck" option is not set to 1, is missing or commented out, this is a finding.

✔️ Fix
Navigate to and open: /etc/pam.d/system-password Configure the pam_pwquality.so line to have the "dictcheck" option set to "1" as follows: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.

✔️ Fix

Navigate to and open: /etc/pam.d/system-password Configure the pam_pwquality.so line to have the "dictcheck" option set to "1" as follows: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.