5.3.3.2.5 Ensure password maximum sequential characters is configured
Audit#
Run the following command to verify that the maxsequence option is set to 3 or less, not 0, and follows local site policy:
# grep -Psi -- '^\h*maxsequence\h*=\h*[1-3]\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
Example output:
Verify returned value(s) are 3 or less, not 0, and meet local site policy Run the following command to verify that maxsequence is not set, is 3 or less, not 0, and conforms to local site policy:
# grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?maxsequence\h*=\h*(0|[4-9]|[1-9][0-9]+)\b' /etc/pam.d/common-password
Note: - settings should be configured in only one location for clarity - Settings observe an order of precedence: - module arguments override the settings in the /etc/security/pwquality.conf configuration file - settings in the /etc/security/pwquality.conf configuration file override settings in a .conf file in the /etc/security/pwquality.conf.d/ directory - settings in a .conf file in the /etc/security/pwquality.conf.d/ directory are read in canonical order, with last read file containing the setting taking precedence - It is recommended that settings be configured in a .conf file in the /etc/security/pwquality.conf.d/ directory for clarity, convenience, and durability.
Remediation#
Create or modify a file ending in .conf in the /etc/security/pwquality.conf.d/ directory or the file /etc/security/pwquality.conf and add or modify the following line to set maxsequence to 3 or less and not 0. Ensure setting conforms to local site policy: Example:
Run the following command:
Edit any returned files and remove the maxsequence argument from the pam_pwquality.so line(s):
Default Value: maxsequence = 0