5.3.3.2.6 Ensure password dictionary check is enabled
Audit#
Run the following command to verify that the dictcheck option is set to 0 (disabled) in a pwquality configuration file:
# grep -Psi -- '^\h*dictcheck\h*=\h*0\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
Run the following command to verify that the dictcheck option is not set to 0 (disabled) as a module argument in a PAM file:
# grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?dictcheck\h*=\h*0\b' /etc/pam.d/common-password
Note: - settings should be configured in only one location for clarity - Settings observe an order of precedence: - module arguments override the settings in the /etc/security/pwquality.conf configuration file - settings in the /etc/security/pwquality.conf configuration file override settings in a .conf file in the /etc/security/pwquality.conf.d/ directory - settings in a .conf file in the /etc/security/pwquality.conf.d/ directory are read in canonical order, with last read file containing the setting taking precedence - It is recommended that settings be configured in a .conf file in the /etc/security/pwquality.conf.d/ directory for clarity, convenience, and durability.
Remediation#
Edit any file ending in .conf in the /etc/security/pwquality.conf.d/ directory and/or the file /etc/security/pwquality.conf and comment out or remove any instance of dictcheck = 0: Example:
# sed -ri 's/^\s*dictcheck\s*=/# &/' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
Run the following command:
Edit any returned files and remove the dictcheck argument from the pam_pwquality.so line(s):
Default Value: dictcheck = 1