4.4.2.2.7 Ensure password dictionary check is enabled

Information

The pwquality dictcheck option sets whether to check for the words from the cracklib dictionary.

If the operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.

Solution

Edit /etc/security/pwquality.conf and comment out or remove any instance of dictcheck = 0 :

Example:

# sed -ri 's/^s*dictchecks*=/# &/' /etc/security/pwquality.conf

Run the following script to remove setting dictcheck on the pam_pwquality.so module in the PAM files:

#!/usr/bin/env bash

{
for l_pam_file in system-auth password-auth; do
sed -ri 's/(^s*passwords+(requisite|required|sufficient)s+pam_pwquality.so.*)(s+dictchecks*=s*S+)(.*$)/14/' /etc/pam.d/"$l_pam_file"
done
}

See Also

https://workbench.cisecurity.org/benchmarks/15962

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: fe29e362d32dfa441b04b0064877b0be8f85c278bc81ef39d78e4fd7cc6f77bf