Detections
Analytics

5.3.2.3 Ensure pam_pwquality module is enabled

Information

The pam_pwquality.so module performs password quality checking. This module can be plugged into the password stack of a given service to provide strength-checking for passwords. The code was originally based on pam_cracklib module and the module is backwards compatible with its options.

The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices.

The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion). All being well, the password is passed on to subsequent modules to be installed as the new authentication token.

Use of a unique, complex passwords helps to increase the time and resources required to compromise the password.

Solution

Run the following script to verify the pam_pwquality.so line exists in a pam-auth-update profile:

# grep -P -- 'bpam_pwquality.sob' /usr/share/pam-configs/*

Output should be similar to:

/usr/share/pam-configs/pwquality: requisite pam_pwquality.so retry=3
/usr/share/pam-configs/pwquality: requisite pam_pwquality.so retry=3

- IF - similar output is returned:

Run the following command to update /etc/pam.d/common-password with the returned profile:

# pam-auth-update --enable {PROFILE_NAME}

Example:

# pam-auth-update pwquality

- IF - similar output is NOT returned:

Create a pam-auth-update profile in /usr/share/pam-configs/ with the following lines:

Name: Pwquality password strength checking
Default: yes
Priority: 1024
Conflicts: cracklib
Password-Type: Primary
Password:
 requisite pam_pwquality.so retry=3

Example:

#!/usr/bin/env bash

{
 arr=('Name: Pwquality password strength checking' 'Default: yes' 'Priority: 1024' 'Conflicts: cracklib' 'Password-Type: Primary' 'Password:' ' requisite pam_pwquality.so retry=3')
 printf '%s
' "${arr[@]}" > /usr/share/pam-configs/pwquality
}

Run the following command to update /etc/pam.d/common-password with the pwquality profile:

# pam-auth-update --enable pwquality

Note:

 - The name used for the file must be used in the pam-auth-update --enable command
 - The Name: line should be easily recognizable and understood
 - The Priority: Line is important as it effects the order of the lines in the /etc/pam.d/ files
 - If a site specific custom profile is being used in your environment to configure PAM that includes the configuration for the pam_pwquality module, enable that module instead

See Also

https://workbench.cisecurity.org/benchmarks/18960

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: ed66174ababa253afefc1b0b0256cfef4384a48c4cdf8c94aa3c19a5b1766887