Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
An XCCDF Rule
Description
The pam_pwquality module's maxclassrepeat
parameter controls requirements for
consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters from the same character class. Modify the
maxclassrepeat
setting in /etc/security/pwquality.conf
to equal
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting
attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The
more complex a password, the greater the number of possible combinations that need to be tested before the
password is compromised.
- ID
- xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
var_password_pam_maxclassrepeat='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat" use="legacy"/>'
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83575-1
- DISA-STIG-RHEL-09-611120