Skip to content

5.3.3.2.3 Ensure password complexity is configured

hide: - toc title: 5.3.3.2.3 Ensure password complexity is configured description: Password complexity can be set through: tags: - Level 1 - Workstation - Server - Access Control - Pluggable Authentication Modules - Confgure PAM Arguments - Configure pam_pwquality module - Manual - IG1 - IG2 - IG3 - 5.2 Use Unique Passwords - T1078.001 - T1078.002 - T1078.003 - T1078.004 - T1110 - T1110.001 - T1110.002 - T1110.003 - TA0006 - M1027

Audit#

Run the following command to verify: - dcredit, ucredit, lcredit, and ocredit are not set to a value greater than 0 - Complexity conforms to local site policy: 

# grep -Psi -- '^\h*(minclass|[dulo]credit)\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

Example output: 

/etc/security/pwquality.conf.d/50-pwcomplexity.conf:minclass = 3
/etc/security/pwquality.conf.d/50-pwcomplexity.conf:ucredit = -2
/etc/security/pwquality.conf.d/50-pwcomplexity.conf:lcredit = -2
/etc/security/pwquality.conf.d/50-pwcomplexity.conf:dcredit = -1
/etc/security/pwquality.conf.d/50-pwcomplexity.conf:ocredit = 0

The example represents a requirement of three character classes, with passwords requiring two upper case, two lower case, and one numeric character. Run the following command to verify that module arguments in the configuration file(s) are not being overridden by arguments in /etc/pam.d/common-password: 

# grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?(minclass=\d*|[dulo]credit=-?\d*)\b' /etc/pam.d/common-password
Nothing should be returned

Note: - settings should be configured in only one location for clarity - Settings observe an order of precedence: - module arguments override the settings in the /etc/security/pwquality.conf configuration file - settings in the /etc/security/pwquality.conf configuration file override settings in a .conf file in the /etc/security/pwquality.conf.d/ directory - settings in a .conf file in the /etc/security/pwquality.conf.d/ directory are read in canonical order, with last read file containing the setting taking precedence - It is recommended that settings be configured in a .conf file in the /etc/security/pwquality.conf.d/ directory for clarity, convenience, and durability.

Remediation#

Run the following command: 

# grep -Pl -- '\bpam_pwquality\.so\h+([^#\n\r]+\h+)?(minclass|[dulo]credit)\b' /usr/share/pam-configs/*

Edit any returned files and remove the minclass, dcredit, ucredit, lcredit, and ocredit arguments from the pam_pwquality.so line(s) Create or modify a file ending in .conf in the /etc/security/pwquality.conf.d/ directory or the file /etc/security/pwquality.conf and add or modify the following line(s) to set complexity according to local site policy: - minclass = N - dcredit = N # Value should be either 0 or a number proceeded by a minus (-) symbol - ucredit = -1 # Value should be either 0 or a number proceeded by a minus (-) symbol - ocredit = -1 # Value should be either 0 or a number proceeded by a minus (-) symbol - lcredit = -1 # Value should be either 0 or a number proceeded by a minus (-) symbol

Example 1 - Set minclass = 3: 

1
2
3
4
5
6
7
#!/usr/bin/env bash
{
sed -ri 's/^\s*minclass\s*=/# &/' /etc/security/pwquality.conf
sed -ri 's/^\s*[dulo]credit\s*=/# &/' /etc/security/pwquality.conf
[ ! -d /etc/security/pwquality.conf.d/ ] && mkdir /etc/security/pwquality.conf.d/
printf '\n%s' "minclass = 3" > /etc/security/pwquality.conf.d/50-pwcomplexity.conf
}

Example 2 - set dcredit = -1, ucredit = -1, and lcredit = -1: 

1
2
3
4
5
6
7
#!/usr/bin/env bash
{
sed -ri 's/^\s*minclass\s*=/# &/' /etc/security/pwquality.conf
sed -ri 's/^\s*[dulo]credit\s*=/# &/' /etc/security/pwquality.conf
[ ! -d /etc/security/pwquality.conf.d/ ] && mkdir /etc/security/pwquality.conf.d/
printf '%s\n' "dcredit = -1" "ucredit = -1" "lcredit = -1" > /etc/security/pwquality.conf.d/50-pwcomplexity.conf
}

Default Value: minclass = 0 dcredit = 0 ucredit = 0 ocredit = 0 lcredit = 0