Password auditing is supported on Windows and Unix systems. The service provides password auditing controls for identifying 1) user accounts with empty passwords, 2) user accounts with the password equal to the user name, and 3) user accounts with passwords equal to an entry in a user-defined password dictionary.
Password auditing controls are not included in compliance scans by default. To use this feature, you must enable the Password Auditing feature in a compliance profile and then apply that profile to a scan task. See instructions below.
The service provides these controls for password auditing:
CID 3893 -- This control identifies user accounts with empty passwords.
CID 3894 -- This control identifies user accounts where the password is equal to the user name. For example, when the user name is "Administrator" and the password for the account is also "Administrator".
CID 3895 -- This control identifies user accounts where the password is equal to an entry in the user-defined password dictionary. You must configure the password dictionary in a compliance profile, and then apply that profile to your scan task.
The Dissolvable Agent (Agent) is installed on Windows devices to collect host data in order to perform certain scans. During the scan process the Agent is installed as needed. Once the scan is complete, the Agent will remove itself completely. Password Auditing requires that a Manager accept the Agent for the subscription. A Manager can accept the Agent (if not already accepted) by going to Setup > Dissolvable Agent and clicking the Accept button.
Password Auditing controls are not included in compliance scans by default. To enable this scan option, make the following settings in your compliance profile before scanning.
1. Select Option Profiles from the left menu. Then create or edit a compliance profile.
2. Navigate to the Control Types section and select Password Auditing. (If this option is disabled, then the Dissolvable Agent has not been accepted for the subscription. See Step 1 above.)
3. Click Configure to create a password dictionary. The password dictionary is used when evaluating control ID 3895, which identifies user accounts where the password is equal to an entry in the password dictionary. Enter up to 100 passwords that are not allowed in your organization. Enter each password on a separate line. Note that each compliance profile can have a different password dictionary defined.
4. Click the Save button to save the compliance profile.
How it works: When evaluating control ID 3895, user account passwords discovered during the compliance scan will be compared to the passwords listed in the password dictionary. If a match is found, then the control fails. If no match is found, then the control passes.
For additional information see Managing Compliance Profiles.
Successful authentication is a requirement for Password Auditing. Create Windows and Unix authentication records for the hosts you want to scan for password auditing controls.
For additional information, see Creating Windows Records and Creating Unix Records.
Launch or schedule a compliance scan on the hosts that you want to scan for password auditing controls. Apply a compliance profile with the scan option Password Auditing selected, and optionally a password dictionary defined.
For additional information see Launching Scans and Scheduling Scans.
Add the 3 password auditing controls (Control IDs 3893, 3894 and 3895) to a compliance policy.
For CIDs 3893 and 3894, the default expected value in the policy is:
This means that the control will pass if no user accounts are found to violate the control. The control will fail if at least one user account is found to be in violation. For CID 3895, the default expected value in the policy is:
This means that the control will pass if no user accounts are found to violate the control or a password dictionary was not included in the compliance profile used during the scan. The control will fail if at least one user account is found to be in violation.
For additional information see Managing Compliance Policies.
Generate compliance reports to compare the data gathered on your hosts during your compliance scan to the expected values defined in your compliance policy. A password auditing control fails when one or more user accounts are found in violation of the control. Each user account that violates the control appears in the Actual field of your report.
For additional information see Running Policy Compliance Reports.