Ensure PAM Enforces Password Requirements - Enforcing
An XCCDF Rule
Description
Verify that the operating system uses "pwquality" to enforce the password complexity rules. Verify the pwquality module is being enforced by operating system by running the following command:
$ grep -i enforcing /etc/security/pwquality.conf enforcing = 1If the value of "enforcing" is not "1" or the line is commented out, this is a finding.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Using enforcing=1 ensures "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
- ID
- xccdf_org.ssgproject.content_rule_accounts_password_pam_enforcing
- Severity
- Medium
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-UBTU-20-010057
- accounts_password_pam_enforcing
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then
if [ -e "/etc/security/pwquality.conf" ] ; then
LC_ALL=C sed -i "/^\s*enforcing = 1/Id" "/etc/security/pwquality.conf"