Skip to content

5.3.2.3 Ensure pam_pwquality module is enabled

Audit#

Run the following command to verify that pam_pwhistory is enabled: 

# grep -P -- '\bpam_pwquality\.so\b' /etc/pam.d/common-password

Output should be similar to: 

password requisite pam_pwquality.so retry=3

Remediation#

Run the following script to verify the pam_pwquality.so line exists in a pam-auth-update profile: 

# grep -P -- '\bpam_pwquality\.so\b' /usr/share/pam-configs/*

Output should be similar to: 

1
2
/usr/share/pam-configs/pwquality: requisite pam_pwquality.so retry=3
/usr/share/pam-configs/pwquality: requisite pam_pwquality.so retry=3

- IF - similar output is returned: Run the following command to update /etc/pam.d/common-password with the returned profile: 

# pam-auth-update --enable {PROFILE_NAME}

Example: 

# pam-auth-update pwquality

- IF - similar output is NOT returned: Create a pam-auth-update profile in /usr/share/pam-configs/ with the following lines: 

Name: Pwquality password strength checking
Default: yes
Priority: 1024
Conflicts: cracklib
Password-Type: Primary
Password:
requisite pam_pwquality.so retry=3

Example: 

1
2
3
4
5
6
#!/usr/bin/env bash
{
arr=('Name: Pwquality password strength checking' 'Default: yes' 'Priority: 1024' 'Conflicts: cracklib' 'Password-Type: Primary' 'Password:' '
requisite pam_pwquality.so retry=3')
printf '%s\n' "${arr[@]}" > /usr/share/pam-configs/pwquality
}

Run the following command to update the /etc/pam.d/common-password with the pwquality profile: 

# pam-auth-update --enable pwquality

Note: - The name used for the file must be used in the pam-auth-update --enable command - The Name: line should be easily recognizable and understood - The Priority: Line is important as it effects the order of the lines in the /etc/pam.d/ files - If a site specific custom profile is being used in your environment to configure PAM that includes the configuration for the pam_pwquality module, enable that module instead