Ensure PAM Enforces Password Requirements - Enforce for root User
An XCCDF Rule
Description
The pam_pwquality module's enforce_for_root
parameter controls requirements for
enforcing password complexity for the root user. Enable the enforce_for_root
setting in /etc/security/pwquality.conf
to require the root
user
to use complex passwords.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
- ID
- xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
if [ -e "/etc/security/pwquality.conf" ] ; then
LC_ALL=C sed -i "/^\s*enforce_for_root/Id" "/etc/security/pwquality.conf"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)