5.3.3.2.1 Ensure password number of changed characters is configured
Audit#
Run the following command to verify that the difok option is set to 2 or more and follows local site policy:
# grep -Psi -- '^\h*difok\h*=\h*([2-9]|[1-9][0-9]+)\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
Example output:
Verify returned value(s) are 2 or more and meet local site policy Run the following command to verify that difok is not set, is 2 or more, and conforms to local site policy:# grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?difok\h*=\h*([0-1])\b' /etc/pam.d/common-password
Note: - settings should be configured in only one location for clarity - Settings observe an order of precedence: - module arguments override the settings in the /etc/security/pwquality.conf configuration file - settings in the /etc/security/pwquality.conf configuration file override settings in a .conf file in the /etc/security/pwquality.conf.d/ directory - settings in a .conf file in the /etc/security/pwquality.conf.d/ directory are read in canonical order, with last read file containing the setting taking precedence - It is recommended that settings be configured in a .conf file in the /etc/security/pwquality.conf.d/ directory for clarity, convenience, and durability.
Remediation#
Create or modify a file ending in .conf in the /etc/security/pwquality.conf.d/ directory or the file /etc/security/pwquality.conf and add or modify the following line to set difok to 2 or more. Ensure setting conforms to local site policy: Example:
Run the following command:
Edit any returned files and remove the difok argument from the pam_pwquality.so line(s):
Default Value: difok = 1