centos7:5:3:1

5.3.1 Ensure password creation requirements are configured (Scored)

Profile Applicability

Level 1 - Server
Level 1 - Workstation

Description

The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options.

  • try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password.
  • retry=3 - Allow 3 tries before sending back a failure.

The following options are set in the /etc/security/pwquality.conf file:

  • minlen=14 - password must be 14 characters or more
  • dcredit=-1 - provide at least one digit
  • ucredit=-1 - provide at least one uppercase character
  • ocredit=-1 - provide at least one special character
  • lcredit=-1 - provide at least one lowercase character

The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.

Rationale

Strong passwords protect systems from being hacked through brute force methods..

Audit

Run the following commands and verify all password requirements are as listed or stricter: 

# grep pam_pwquality.so /etc/pam.d/password-auth 
password requisite pam_pwquality.so try_first_pass retry=3 
# grep pam_pwquality.so /etc/pam.d/system-auth 
password requisite pam_pwquality.so try_first_pass retry=3
# grep ^minlen /etc/security/pwquality.conf 
minlen=14 
# grep ^dcredit /etc/security/pwquality.conf 
dcredit=-1 
# grep ^lcredit /etc/security/pwquality.conf 
lcredit=-1 
# grep ^ocredit /etc/security/pwquality.conf 
ocredit=-1 
# grep ^ucredit /etc/security/pwquality.conf
ucredit=-1

Remediation

Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_pwquality.so and to conform to site policy: 

password requisite pam_pwquality.so try_first_pass retry=3

Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: 

minlen=14 
dcredit=-1 
ucredit=-1 
ocredit=-1 
lcredit=-1

Notes

Additional module options may be set, recommendation only covers those listed here.

  • centos7/5/3/1.txt
  • Last modified: 2017/05/04 19:30
  • by 127.0.0.1