Set Password Minimum Length in login.defs

An XCCDF Rule

Description

To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following line:

PASS_MIN_LEN

The DoD requirement is 15. The FISMA requirement is 12. The profile requirement is . If a program consults /etc/login.defs and also another PAM module (such as pam_pwquality) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.

Rationale

Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.

ID: xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
Severity: Medium
References: BP28(R18)

1 12 15 16 5

5.6.2.1

DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10

3.5.7

CCI-000205

4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4

SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1

0421 0422 0431 0974 1173 1401 1504 1505 1546 1557 1558 1559 1560 1561

A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3

CM-6(a) IA-5(1)(a) IA-5(f)

PR.AC-1 PR.AC-6 PR.AC-7

SRG-OS-000078-GPOS-00046
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CJIS-5.6.2.1
  - NIST-800-171-3.5.7  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(f)
  - accounts_password_minlen_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_accounts_password_minlen_login_defs # promote to variable
  set_fact:
    var_accounts_password_minlen_login_defs: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/>
  tags:
    - always

- name: Set Password Minimum Length in login.defs
  lineinfile:
    dest: /etc/login.defs
    regexp: ^PASS_MIN_LEN *[0-9]*
    state: present
    line: PASS_MIN_LEN        {{ var_accounts_password_minlen_login_defs }}
    create: true
  when: '"shadow-utils" in ansible_facts.packages'
  tags:
  - CJIS-5.6.2.1
  - NIST-800-171-3.5.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(f)
  - accounts_password_minlen_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then

var_accounts_password_minlen_login_defs='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/>'

# Strip any search characters in the key arg so that the key can be replaced without# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^PASS_MIN_LEN")

# shellcheck disable=SC2059
printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_password_minlen_login_defs"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^PASS_MIN_LEN\\>" "/etc/login.defs"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^PASS_MIN_LEN\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
else
    if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs"
    fi
    printf '%s\n' "$formatted_output" >> "/etc/login.defs"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Set Password Minimum Length in login.defs

Description

Rationale

Remediation - Ansible

Remediation - Shell Script