Skip to content

5.3.3.2.7 Ensure password quality checking is enforced

Audit#

Run the following command to verify that enforcing=0 has not been set in a pwquality configuration file: 

# grep -PHsi -- '^\h*enforcing\h*=\h*0\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
Nothing should be returned

Run the following command to verify that the enforcing=0 argument has not been set on the pam_pwquality module: 

# grep -PHsi -- '^\h*password\h+[^#\n\r]+\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?enforcing=0\b' /etc/pam.d/common-password
Nothing should be returned

Remediation#

Run the following command: 

# grep -Pl -- '\bpam_pwquality\.so\h+([^#\n\r]+\h+)?enforcing=0\b' /usr/share/pam-configs/*

Run the following command: 

# grep -Pl -- '\bpam_pwquality\.so\h+([^#\n\r]+\h+)?dictcheck\b' /usr/share/pam-configs/*

Edit any returned files and remove the enforcing=0 argument from the pam_pwquality.so line(s): Edit /etc/security/pwquality.conf and all files ending in .conf in the /etc/security/pwquality.conf.d/ directory and remove or comment out any line containing the enforcing = 0 argument: Example: 

# sed -ri 's/^\s*enforcing\s*=\s*0/# &/' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

Default Value: enforcing=1