Detections
Analytics

4.4.2.2.4 Ensure password complexity is configured

Information

Password complexity can be set through:

 - minclass - The minimum number of classes of characters required in a new password. (digits, uppercase, lowercase, others). e.g. minclass = 4 requires digits, uppercase, lower case, and special characters.
 - dcredit - The maximum credit for having digits in the new password. If less than 0 it is the minimum number of digits in the new password. e.g. dcredit = -1 requires at least one digit
 - ucredit - The maximum credit for having uppercase characters in the new password. If less than 0 it is the minimum number of uppercase characters in the new password. e.g. ucredit = -1 requires at least one uppercase character
 - ocredit - The maximum credit for having other characters in the new password. If less than 0 it is the minimum number of other characters in the new password. e.g. ocredit = -1 requires at least one special character
 - lcredit - The maximum credit for having lowercase characters in the new password. If less than 0 it is the minimum number of lowercase characters in the new password. e.g. lcredit = -1 requires at least one lowercase character

Strong passwords protect systems from being hacked through brute force methods.

Solution

Edit /etc/security/pwquality.conf and add or modify the following line to set:

minclass = 4

--AND/OR--

dcredit = -_N>
ucredit = <N>
ocredit = <N>
lcredit = <N>

Example:

# printf '\n%s' "minclass = 4" >> /etc/security/pwquality.conf

--AND/OR--

# printf '%s\n' "dcredit = -1" "ucredit = -1" "ocredit = -1" "lcredit = -1" >> /etc/security/pwquality.conf

Run the following script to remove setting minclass, dcredit, ucredit, lcredit, and ocredit on the pam_pwquality.so module in the PAM files

#!/usr/bin/env bash

{
 for l_pam_file in system-auth password-auth; do
 sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+minclass\s*=\s*\S+)(.*$)/\1\4/' /etc/pam.d/"$l_pam_file"
 sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+dcredit\s*=\s*\S+)(.*$)/\1\4/' /etc/pam.d/"$l_pam_file"
 sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+ucredit\s*=\s*\S+)(.*$)/\1\4/' /etc/pam.d/"$l_pam_file"
 sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+lcredit\s*=\s*\S+)(.*$)/\1\4/' /etc/pam.d/"$l_pam_file"
 sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+ocredit\s*=\s*\S+)(.*$)/\1\4/' /etc/pam.d/"$l_pam_file"
 done
}

See Also

https://workbench.cisecurity.org/benchmarks/15965

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: e058742dedf3fdd46e4272a7c251c64e688463274b7e1ba4d1d6f6ba756c655d