Skip to content

Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only

An XCCDF Rule

Description

The pam_pwquality module's local_users_only parameter controls requirements for enforcing password complexity by pam_pwquality only for local user accounts and ignoring centralized user account management password complexity configurations. Enable the local_users_only setting in /etc/security/pwquality.conf to require password complexity enforcement for only local user accounts.

warning alert: Management Warning

Using this rule bypasses pam_faillock's functionality and should be used in cases where centralized management such as LDAP or Active Directory is in use.

Rationale

The operating system must provide automated mechanisms for supporting account management functions. Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error.

ID
xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

if [ -e "/etc/security/pwquality.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*local_users_only/Id" "/etc/security/pwquality.conf"

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-AC-2(1)
  - accounts_password_pam_enforce_local