How aggressive? A good example is USGCB's requirement of a complex, 12-character-minimum password changed every 60 days or less. That's ambitious, especially for the government, which was known for simple, 6-character passwords just a decade ago.
I always recommend that my private clients look to the USGCB as a security model when considering what they should set as their corporate policies. If your password policy doesn't dictate 12-character passwords, ask yourself why the USGCB would require it. Could it be that all the password attack experts involved in creating the standard, including NIST and the NSA participants, did the math and figured out that 12-character minimums were necessary to withstand general attacks?
Notably, the USGCB standard applies only to normal, unclassified security systems. Higher-security systems actually require much stricter standards, including strong smart cards instead of solely passwords.
The USGCB's new Red Hat Linux Desktop standards are only in alpha release, but its 258 settings should be seriously considered by people in charge of implementing basic security on Linux/Unix/BSD systems (naturally, expecting that the settings specific to desktop Red Hat may not be applicable to your OS or computer roles).
Now, when will NIST develop the Apple-specific USGCB standards? These devices are, after all, showing up more and more and being connected to corporate environments and data.
This story, "Feds finally extend security baseline to Red Hat Linux," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.