NixOS must enable the use of pwquality.

An XCCDF Rule

Description

If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.

ID: SV-268170r1039398_rule
Version: ANIX-00-001861
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

Configure NixOS to check password change attempts against a dictionary.

Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix

security.pam.services.passwd.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so");
security.pam.services.chpasswd.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so");security.pam.services.sudo.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so");

Rebuild the system with the following command:

$ sudo nixos-rebuild switch

NixOS must enable the use of pwquality.

Description

Remediation Templates

A Manual Procedure