======5.3.1 Ensure password creation requirements are configured (Scored)======
=====Profile Applicability=====  
<code>
Level 1 - Server
Level 1 - Workstation 
</code>

=====Description=====
The ''pam_pwquality.so'' module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the ''pam_pwquality.so'' options.
  * ''try_first_pass'' - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password.
  * ''retry=3'' - Allow 3 tries before sending back a failure.
The following options are set in the ''/etc/security/pwquality.conf'' file:
  * ''minlen=14'' - password must be 14 characters or more
  * ''dcredit=-1'' - provide at least one digit
  * ''ucredit=-1'' - provide at least one uppercase character
  * ''ocredit=-1'' - provide at least one special character
  * ''lcredit=-1'' - provide at least one lowercase character
The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.

=====Rationale=====
Strong passwords protect systems from being hacked through brute force methods..

=====Audit===== 
Run the following commands and verify all password requirements are as listed or stricter:
<Code:bash>
# grep pam_pwquality.so /etc/pam.d/password-auth 
password requisite pam_pwquality.so try_first_pass retry=3 
# grep pam_pwquality.so /etc/pam.d/system-auth 
password requisite pam_pwquality.so try_first_pass retry=3
# grep ^minlen /etc/security/pwquality.conf 
minlen=14 
# grep ^dcredit /etc/security/pwquality.conf 
dcredit=-1 
# grep ^lcredit /etc/security/pwquality.conf 
lcredit=-1 
# grep ^ocredit /etc/security/pwquality.conf 
ocredit=-1 
# grep ^ucredit /etc/security/pwquality.conf
ucredit=-1
</Code>

=====Remediation===== 
Edit the ''/etc/pam.d/password-auth'' and ''/etc/pam.d/system-auth'' files to include the appropriate options for ''pam_pwquality.so'' and to conform to site policy:
<Code:bash>
password requisite pam_pwquality.so try_first_pass retry=3
</Code>
Edit ''/etc/security/pwquality.conf'' to add or update the following settings to conform to site policy:
<Code:bash>
minlen=14 
dcredit=-1 
ucredit=-1 
ocredit=-1 
lcredit=-1
</Code>
=====Notes===== 
Additional module options may be set, recommendation only covers those listed here.