Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
An XCCDF Rule
Description
The pam_pwquality module's dictcheck
check if passwords contains dictionary words. When
dictcheck
is set to 1
passwords will be checked for dictionary words.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more
complex the password, the greater the number of possible combinations that need to be tested before the
password is compromised.
Passwords with dictionary words may be more vulnerable to password-guessing attacks.
- ID
- xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-UBTU-20-010056
- NIST-800-53-CM-6(a)
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then
var_password_pam_dictcheck='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_dictcheck" use="legacy"/>'