5.4.1 Ensure password creation requirements are configured - ocredit

Information

The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options.

The following options are set in the /etc/security/pwquality.conf file:

Password Length:

minlen = 14 - password must be 14 characters or more

Password complexity:

minclass = 4 - The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others)

OR

dcredit = -1 - provide at least one digit

ucredit = -1 - provide at least one uppercase character

ocredit = -1 - provide at least one special character

lcredit = -1 - provide at least one lowercase character

The following is set in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files

try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password.

retry=3 - Allow 3 tries before sending back a failure.

The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.

Notes:

Settings in /etc/security/pwquality.conf must use spaces around the = symbol.

Additional modules options may be set in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files

Rationale:

Strong passwords and limited attempts before locking an account protect systems from being hacked through brute force methods.

Solution

Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy

minlen = 14

Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy

minclass = 4

OR

dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1

Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_pwquality.so and to conform to site policy:

password requisite pam_pwquality.so try_first_pass retry=3

Additional Information:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide

Version 3, Release: 4 Benchmark Date: 23 Jul 2021

Vul ID: V-204406

Rule ID: SV-204406r603261_rule

STIG ID: RHEL-07-010119

Severity: CAT II

Vul ID: V-204407

Rule ID: SV-204407r603261_rule

STIG ID: RHEL-07-010120

Severity: CAT II

Vul ID: V-204408

Rule ID: SV-204408r603261_rule

STIG ID: RHEL-07-010130

Severity: CAT II

Vul ID: V-204409

Rule ID: SV-204409r603261_rule

STIG ID: RHEL-07-010140

Severity: CAT II

Vul ID: V-204410

Rule ID: SV-204410r603261_rule

STIG ID: RHEL-07-010150

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(a), CCI|CCI-001619, CSCv7|4.4, Rule-ID|SV-204406r603261_rule, Rule-ID|SV-204407r603261_rule, Rule-ID|SV-204408r603261_rule, Rule-ID|SV-204409r603261_rule, Rule-ID|SV-204410r603261_rule, STIG-ID|RHEL-07-010150

Plugin: Unix

Control ID: f78ea45696131582223b21e11d4d86c84f93e1b64cf567fc6ed4865821f34f3d