An XCCDF Group - A logical subset of the XCCDF Benchmark
/etc/pam.d
/etc/pam.d/login
/etc/pam.d/system-auth
/etc/security/opasswd
libpam-pwquality
$ apt-get install libpam-pwquality
$ sudo grep pam_succeed_if /etc/pam.d/sudo
pam_lastlog
showfailed
session required pam_lastlog.so showfailed
silent
pam_faillock
/usr/share/doc/pam-VERSION/txts/README.pam_faillock
remember
pam_pwhistory
/etc/pam.d/common-password
use_authtok
password requisite pam_pwhistory.so ...existing_options... remember= use_authtok
pam_unix
pam_faildelay
/etc/pam.d/common-auth
delay
auth required pam_faildelay.so delay=
pam_faillock.so
/etc/security/faillock.conf
deny = <count>
fail_interval
fail_interval = <interval-in-seconds>
interval-in-seconds
authselect
authconfig
unlock_time=<interval-in-seconds>
unlock_time
0
faillock
pam_pwquality
pam_pwquality(8)
pam_cracklib
password requisite pam_cracklib.so try_first_pass retry=3
password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
/etc/security/pwquality.conf
difok = 4 minlen = 14 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 maxrepeat = 3
dcredit
dictcheck
1
difok
$ grep -i enforcing /etc/security/pwquality.conf enforcing = 1
lcredit
minclass
* Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation)
minlen
minlen=
ocredit=
ocredit
pam_pwquality.so
retry=
ucredit=
ucredit
/etc/shadow
/etc/login.defs
ENCRYPT_METHOD