Ensure PAM Enforces Password Requirements - Enforce for root User

An XCCDF Rule

Description

The pam_pwquality module's enforce_for_root parameter controls requirements for enforcing password complexity for the root user. Enable the enforce_for_root setting in /etc/security/pwquality.conf to require the root user to use complex passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

ID: xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root
Severity: Medium
References: CCI-000192 CCI-000193 CCI-000194 CCI-000195 CCI-000205 CCI-000366 CCI-001619

CM-6(a) IA-5(1)(a) IA-5(4) IA-5(c)

SRG-OS-000069-GPOS-00037 SRG-OS-000070-GPOS-00038 SRG-OS-000071-GPOS-00039 SRG-OS-000072-GPOS-00040 SRG-OS-000078-GPOS-00046 SRG-OS-000266-GPOS-00101 SRG-OS-000480-GPOS-00225

CCE-83377-2

4.4.3.2.7
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83377-2
  - NIST-800-53-CM-6(a)  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - accounts_password_pam_enforce_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure PAM Enforces Password Requirements - Enforce for root User
  lineinfile:
    path: /etc/security/pwquality.conf
    create: true
    line: enforce_for_root
    state: present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83377-2
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - accounts_password_pam_enforce_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

if [ -e "/etc/security/pwquality.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*enforce_for_root/Id" "/etc/security/pwquality.conf"else
    touch "/etc/security/pwquality.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/security/pwquality.conf"

cp "/etc/security/pwquality.conf" "/etc/security/pwquality.conf.bak"
# Insert at the end of the file
printf '%s\n' "enforce_for_root" >> "/etc/security/pwquality.conf"
# Clean up after ourselves.
rm "/etc/security/pwquality.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure PAM Enforces Password Requirements - Enforce for root User

Description

Rationale

Remediation - Ansible

Remediation - Shell Script