Skip to content

Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session

An XCCDF Rule

Description

To configure the number of retry prompts that are permitted per-session: Edit the /etc/security/pwquality.conf to include retry=, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session.

Rationale

Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module.

ID
xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CJIS-5.5.3
  - DISA-STIG-RHEL-09-611010

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

var_password_pam_retry='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_retry" use="legacy"/>'