Check: AZLX-23-002489
Amazon Linux 2023 STIG:
AZLX-23-002489
(in version v1 r1)
Title
Amazon Linux 2023 must ensure the password complexity module is enabled in the password-auth file. (Cat II impact)
Discussion
Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.
Check Content
Verify Amazon Linux 2023 uses "pwquality" to enforce the password complexity rules in the password-auth file with the following command: $ grep pam_pwquality /etc/pam.d/password-auth password required pam_pwquality.so If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding. If the system administrator can demonstrate that the required configuration is contained in a PAM configuration file included or substacked from the system-auth file, this is not a finding.
Fix Text
Configure Amazon Linux 2023 to use "pwquality" to enforce password complexity rules. Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value): password required pam_pwquality.so
Additional Identifiers
Rule ID: SV-274161r1120471_rule
Vulnerability ID: V-274161
Group Title: SRG-OS-000069-GPOS-00037
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000192 |
The information system enforces password complexity by the minimum number of upper case characters used. |
| CCI-000193 |
The information system enforces password complexity by the minimum number of lower case characters used. |
| CCI-004066 |
For password-based authentication, enforce organization-defined composition and complexity rules. |
Controls
| Number | Title |
|---|---|
| IA-5(1) |
Password-based Authentication |