Detections
Analytics
5.4.1 Ensure password creation requirements are configured
Information
The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options.The following options are set in the /etc/security/pwquality.conf file:
Password Length:
- minlen = 14 - password must be 14 characters or more
Password complexity:
-
minclass = 4 - The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others)
OR
-
dcredit = -1 - provide at least one digit
-
ucredit = -1 - provide at least one uppercase character
-
ocredit = -1 - provide at least one special character
-
lcredit = -1 - provide at least one lowercase character
The following is set in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files
- try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password.
- retry=3 - Allow 3 tries before sending back a failure.
The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.
Notes:
- Settings in /etc/security/pwquality.conf must use spaces around the = symbol.
- Additional modules options may be set in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files
Strong passwords and limited attempts before locking an account protect systems from being hacked through brute force methods.
Solution
Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policyminlen = 14
Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy
minclass = 4
OR
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_pwquality.so and to conform to site policy:
password requisite pam_pwquality.so try_first_pass retry=3
See Also
Item Details
Audit Name: CIS Amazon Linux 2 STIG v2.0.0 L1 Server
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-5(1), CAT|II, CSCv7|4.4, Rule-ID|SV-204406r603261_rule, Rule-ID|SV-204407r603261_rule, Rule-ID|SV-204408r603261_rule, Rule-ID|SV-204409r603261_rule, Rule-ID|SV-204410r603261_rule, STIG-ID|RHEL-07-010119, STIG-ID|RHEL-07-010120, STIG-ID|RHEL-07-010130, STIG-ID|RHEL-07-010140, STIG-ID|RHEL-07-010150, Vuln-ID|V-204406, Vuln-ID|V-204407, Vuln-ID|V-204408, Vuln-ID|V-204409, Vuln-ID|V-204410
Plugin: Unix
Control ID: 95665e27467e81e660036f8fbb83d4719807682d9c83fa2ca774d1551609898f