======5.3.1 Ensure password creation requirements are configured (Scored)======
=====Profile Applicability=====
Level 1 - Server
Level 1 - Workstation
=====Description=====
The ''pam_pwquality.so'' module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the ''pam_pwquality.so'' options.
* ''try_first_pass'' - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password.
* ''retry=3'' - Allow 3 tries before sending back a failure.
The following options are set in the ''/etc/security/pwquality.conf'' file:
* ''minlen=14'' - password must be 14 characters or more
* ''dcredit=-1'' - provide at least one digit
* ''ucredit=-1'' - provide at least one uppercase character
* ''ocredit=-1'' - provide at least one special character
* ''lcredit=-1'' - provide at least one lowercase character
The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.
=====Rationale=====
Strong passwords protect systems from being hacked through brute force methods..
=====Audit=====
Run the following commands and verify all password requirements are as listed or stricter:
# grep pam_pwquality.so /etc/pam.d/password-auth
password requisite pam_pwquality.so try_first_pass retry=3
# grep pam_pwquality.so /etc/pam.d/system-auth
password requisite pam_pwquality.so try_first_pass retry=3
# grep ^minlen /etc/security/pwquality.conf
minlen=14
# grep ^dcredit /etc/security/pwquality.conf
dcredit=-1
# grep ^lcredit /etc/security/pwquality.conf
lcredit=-1
# grep ^ocredit /etc/security/pwquality.conf
ocredit=-1
# grep ^ucredit /etc/security/pwquality.conf
ucredit=-1
=====Remediation=====
Edit the ''/etc/pam.d/password-auth'' and ''/etc/pam.d/system-auth'' files to include the appropriate options for ''pam_pwquality.so'' and to conform to site policy:
password requisite pam_pwquality.so try_first_pass retry=3
Edit ''/etc/security/pwquality.conf'' to add or update the following settings to conform to site policy:
minlen=14
dcredit=-1
ucredit=-1
ocredit=-1
lcredit=-1
=====Notes=====
Additional module options may be set, recommendation only covers those listed here.