Lumeta 3.3.2. introduces the following set password controls that you can enable, disable, or override via the Lumeta API or CLI. These password controls supplement those already in place in earlier releases. See Password Controls in Spectre 3.3.2+ for details.
- Set password expiration - User can specify the minimum number of days before a password can be set and the maximum number of days before a password must be reset. If a user attempts to change a password before the minimum number of days has elapsed, the message "ERROR: You cannot change your password yet." displays. If the maximum number of days has passed, the user if forced to change his or her password.
- Change to account lockout parameters - User can specify the lockout duration in minutes, the number of failed attempts, and the window of time in minutes in which the failed attempts have to occur. For example, the system can be made to lock out the user for 7 days if there are 3 consecutive failed login attempts within 15 minutes.
- Change to password reuse rules - Allows user to set the number of unique passwords before being allowed to repeat a password.
You can enable, disable or override these password controls.
Password Controls Enabled | Password Controls Set to Override | Password Controls Disabled | View Password Control Settings |
---|---|---|---|
If you simply call system password-controls enable, the following applies:
| If you call system password-controls override, the following applies:
| If you call system password-controls disable , the following applies:
| The CLI The CLI |
The CLI system password-controls command with the argument enable will turn on the full set of password controls with the values required for STIG conformance. | The CLI system password-controls command with the argument override will disable the new set of 3.3.2 STIG password settings. It will read a file of custom settings for the parameters Lumeta allows. If any of the settings are missing, their values will be set to a known default. For example, if the user hasn't yet set the password expiration time, it will default to 30 days. | The CLI system password-controls command with the argument disable will turn off all password control options. | |
When you enable password controls, this is the full set of what is enabled:
Procedure To enforce the above-listed password rules:
|
CLI
The command returns the current state if called without an argument.
system password-controls [ enable | override | disable ]
A new CLI will allow you to set any of the password control parameters at once. You can set one at a time, or you can set a few or all of them on one line. The command returns the current settings if called without any arguments.
system password-parameters [ maxDays days1 ] [ minDays days2 ] [ lockoutDuration min1 ] [ lockoutAttempts n1 ] [ lockoutWindow min2 ] [ remember n2 ]
If you try to reset your password from the CLI too soon, this message will display:
API
The previous API, which currently simply enables and disables password controls with STIG-required settings, will be modified to allow a value of "override."
Method | API Path | Query Parameter | Returns | Notes |
---|---|---|---|---|
GET | /api/rest/management/password/controls | name: enable values: enable | override | disable | enable | override | disable | Without any parameter, returns current state. |
A new API allows changing the parameters as summarized above.
Method | API Path | Payload | Returns | Notes |
---|---|---|---|---|
GET | /api/rest/management/password/parameters | none | PasswordControlParameters object | |
POST | /api/rest/management/password/parameters | PasswordControlParameters object | none | For any null attribute, the value will be unchanged |
The PasswordControlParameters object has the following fields:
Type | Name | Default | Notes |
---|---|---|---|
Integer | maxDays | 30 days | must change password after maxDays |
Integer | minDays | 1 days | cannot change password again until minDays |
Integer | lockoutDuration | 7 days (in minutes) | minutes to lock after lockoutAttempts failures in lockoutWindow minutes |
Integer | lockoutAttempts | 3 | number of consecutive failures in lockoutWindow minutes before lockout |
Integer | lockoutWindow | 15 minutes | period of time to count consecutive login failures (0 means infinite window) |
Integer | remember | 24 | how many unique passwords before you can reuse |
The default values above have been selected to match the STIG values for those parameters.