4.4.2.3 Ensure pam_pwquality module is enabled

Information

The pam_pwquality.so module performs password quality checking. This module can be plugged into the password stack of a given service to provide strength-checking for passwords. The code was originally based on pam_cracklib module and the module is backwards compatible with its options.

The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices.

The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion). All being well, the password is passed on to subsequent modules to be installed as the new authentication token.

Use of a unique, complex passwords helps to increase the time and resources required to compromise the password.

Solution

Review the authselect profile templates:

Run the following script to verify the pam_pwquality.so lines exist in the active profile templates:

#!/usr/bin/env bash

{
l_module_name="pwquality"
l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
if grep -Pq -- '^custom/' <<< "$l_pam_profile"; then
l_pam_profile_path="/etc/authselect/$l_pam_profile"
else
l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
fi
grep -P -- "bpam_$l_module_name.sob" "$l_pam_profile_path"/{password,system}-auth
}

Example Output with a custom profile named "custom-profile":

/etc/authselect/custom/custom-profile/password-auth:password requisite pam_pwquality.so local_users_only {include if "with-pwquality"}

/etc/authselect/custom/custom-profile/system-auth:password requisite pam_pwquality.so local_users_only {include if "with-pwquality"}

Note: The lines may not include {include if "with-pwquality"}

- IF - the lines shown above are not returned, refer to the Recommendation "Ensure active authselect profile includes pam modules" to update the authselect profile template files to include the pam_pwquality entries before continuing this remediation.

- IF - any of the pam_pwquality lines include {include if "with-pwquality"} run the following command to enable the authselect with-pwquality feature and update the files in /etc/pam.d to include `pam_pwquality:

# authselect enable-feature with-pwquality

- IF - any of the pam_pwquality lines exist without {include if "with-pwquality"} run the following command to update the files in /etc/pam.d to include pam_pwquality.so :

# authselect apply-changes

See Also

https://workbench.cisecurity.org/benchmarks/15289

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 62d87794834e15c99c97b257ab44f2ef344c40a1a3cfad0b934896ea2c476a03