Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only
An XCCDF Rule
Description
The pam_pwquality module's local_users_only
parameter controls requirements for
enforcing password complexity by pam_pwquality only for local user accounts and ignoring
centralized user account management password complexity configurations. Enable the local_users_only
setting in /etc/security/pwquality.conf
to require password complexity enforcement
for only local user accounts.
warning alert: Management Warning
Using this rule bypasses pam_faillock's functionality and should be used in cases
where centralized management such as LDAP or Active Directory is in use.
Rationale
The operating system must provide automated mechanisms for supporting account management functions. Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error.
- ID
- xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
if [ -e "/etc/security/pwquality.conf" ] ; then
LC_ALL=C sed -i "/^\s*local_users_only/Id" "/etc/security/pwquality.conf"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-AC-2(1)
- accounts_password_pam_enforce_local