Page tree

Lumeta 3.3.2. introduces the following set password controls that you can enable, disable, or override via the Lumeta API or CLI. These password controls supplement those already in place in earlier releases. See Password Controls in Spectre 3.3.2+ for details.

  1. Set password expiration - User can specify the minimum number of days  before a password can be set and the maximum number of days before a password must be reset.  If a user attempts to change a password before the minimum number of days has elapsed, the message "ERROR: You cannot change your password yet." displays.  If the maximum number of days has passed, the user if forced to change his or her password. 


  2. Change to account lockout parameters - User can specify the lockout duration in minutes, the number of failed attempts, and the window of time in minutes in which the failed attempts have to occur. For example, the system can be made to lock out the user for 7 days if there are 3 consecutive failed login attempts within 15 minutes.

  3. Change to password reuse rules - Allows user to set the number of unique passwords before being allowed to repeat a password.

You can enable, disable or override these password controls. 

Password Controls Enabled

Password Controls Set to Override

Password Controls Disabled

View Password Control Settings

If you simply call system password-controls enable, the following applies:

  • Strict STIG password control settings apply (all 13 parameters)
  • None of the six override parameter values apply; instead, the STIG requirements for those parameters are applied
  • The six override parameter values remain on the system in case the user selects override again

If you call system password-controls override, the following applies:

  • These STIG password controls are disabled:
    1. Password expiration
    2. Account lockout parameters
    3. Password reuse
  • The six override parameter values (underlined above) are applied.
  • Any of the six override parameters that the user has not specifically set will be initialized with their default values
If you call system password-controls disable, the following applies:
  • All STIG password controls are disabled and the values are ignored
  • The six override parameter settings are ignored
  • The six override parameter values remain on the system in case the user selects override again

The CLI system password-parameters command without any arguments will say whether override mode is in effect or not and will print all custom values.

The CLI system password-controls command without any arguments will print enableddisabled, or override according to the current password control state.

The CLI system password-controls command with the argument enable will turn on the full set of password controls with the values required for STIG conformance.The CLI system password-controls command with the argument override will disable the new set of 3.3.2 STIG password settings. It will read a file of custom settings for the parameters Lumeta allows. If any of the settings are missing, their values will be set to a known default. For example, if the user hasn't yet set the password expiration time, it will default to 30 days.The CLI system password-controls command with the argument disable will turn off all password control options.




When you enable password controls, this is the full set of what is enabled:

  1. Passwords must contain a minimum of 15 characters.
  2. Password must have at least 1 digit, 1 upper, 1 lower, 1 symbol
  3. Password must not repeat a character more than 3 times in a row
  4. New password must change at least 8 characters
  5. Lumeta must not have accounts configured with blank or null passwords.
  6. Password expiration
  7. Account lockout parameters
  8. Password reuse

Procedure

To enforce the above-listed password rules:

  1. Log in to the CLI.
  2. Run the command "system password-controls enable"
  3. Exit the CLI.



CLI

 The command returns the current state if called without an argument.

system password-controls [ enable | override | disable ] 


A new CLI will allow you to set any of the password control parameters at once. You can set one at a time, or you can set a few or all of them on one line. The command returns the current settings if called without any arguments.

system password-parameters [ maxDays days1 ] [ minDays days2 ] [ lockoutDuration min1 ] [ lockoutAttempts n1 ] [ lockoutWindow min2 ] [ remember n2 ]



If you try to reset your password from the CLI too soon, this message will display:


API

The previous API, which currently simply enables and disables password controls with STIG-required settings, will be modified to allow a value of "override."

MethodAPI PathQuery ParameterReturnsNotes
GET/api/rest/management/password/controlsname: enable
values: enable | override | disable
enable | override | disableWithout any parameter, returns current state.


A new API allows changing the parameters as summarized above.

MethodAPI PathPayloadReturnsNotes
GET/api/rest/management/password/parametersnonePasswordControlParameters object
POST/api/rest/management/password/parametersPasswordControlParameters objectnoneFor any null attribute, the value will be unchanged


The PasswordControlParameters object has the following fields:

TypeNameDefaultNotes
IntegermaxDays30 daysmust change password after maxDays
IntegerminDays1 dayscannot change password again until minDays
IntegerlockoutDuration7 days (in minutes)

minutes to lock after lockoutAttempts failures in lockoutWindow minutes

IntegerlockoutAttempts3

number of consecutive failures in lockoutWindow minutes before lockout

IntegerlockoutWindow15 minutes

period of time to count consecutive login failures (0 means infinite window)

Integerremember24

how many unique passwords before you can reuse

The default values above have been selected to match the STIG values for those parameters.







  • No labels