Set Password Minimum Length in login.defs
An XCCDF Rule
Description
To specify password length requirements for new accounts, edit the file
/etc/login.defs
and add or correct the following line:
PASS_MIN_LEN
The DoD requirement is
15
.
The FISMA requirement is 12
.
The profile requirement is
.
If a program consults /etc/login.defs
and also another PAM module
(such as pam_pwquality
) during a password change operation, then
the most restrictive must be satisfied. See PAM section for more
information about enforcing password quality requirements.
Rationale
Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.
- ID
- xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CJIS-5.6.2.1
- DISA-STIG-OL08-00-020231
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then
var_accounts_password_minlen_login_defs='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/>'
# Strip any search characters in the key arg so that the key can be replaced without