Ensure PAM Enforces Password Requirements - Minimum Digit Characters
An XCCDF Rule
Description
The pam_pwquality module's dcredit
parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the dcredit
setting in
/etc/security/pwquality.conf
to require the use of a digit in passwords.
Rationale
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possible combinations that need to be tested before the password is compromised.
Requiring digits makes password guessing attacks more difficult by ensuring a larger
search space.
- ID
- xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
var_password_pam_dcredit='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" use="legacy"/>'
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-RHEL-09-611070
- NIST-800-53-CM-6(a)