Detections
Analytics

5.4.1 Ensure password creation requirements are configured - lcredit

Information

The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options.
 try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password.
 retry=3 - Allow 3 tries before sending back a failure.
 minlen=14 - password must be 14 characters or more
 ** Either of the following can be used to enforce complex passwords:**
 minclass=4 - provide at least four classes of characters for the new password
 OR
 dcredit=-1 - provide at least one digit
 ucredit=-1 - provide at least one uppercase character
 ocredit=-1 - provide at least one special character
 lcredit=-1 - provide at least one lowercase character
 The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies
 Rationale:
 Strong passwords protect systems from being hacked through brute force methods.

Solution

Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy
 minlen = 14
 Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy
 minclass = 4
 OR
 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1
 Run the following to update the system-auth and password-auth files
 CP=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) for FN in system-auth password-auth; do [[ -n $CP ]] && PTF=/etc/authselect/$CP/$FN || PTF=/etc/authselect/$FN [[ -z $(grep -E '^s*passwords+requisites+pam_pwquality.sos+.*enforce-for-roots*.*$' $PTF) ]] && sed -ri 's/^s*(passwords+requisites+pam_pwquality.sos+)(.*)$/12 enforce-for-root/' $PTF [[ -n $(grep -E '^s*passwords+requisites+pam_pwquality.sos+.*s+retry=S+s*.*$' $PTF) ]] && sed -ri '/pwquality/s/retry=S+/retry=3/' $PTF || sed -ri 's/^s*(passwords+requisites+pam_pwquality.sos+)(.*)$/12 retry=3/' $PTF done authselect apply-changes
 Notes:
 all default authselect profiles have pam_pwquality enabled with the expectation that options will be specified in pwquality.conf

See Also

https://workbench.cisecurity.org/files/2485

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(a)

Plugin: Unix

Control ID: 5b8b785daf2e7a5694c23e238fd3d3e5b4c6e8bb410ca62b6ba325aeacb70150