Title

The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used. (Cat II impact)

Discussion

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.

Check Content

Verify that the "libpam-pwquality" module is installed: # dpkg -l | grep libpam-pwquality ii libpam-pwquality:amd64 1.3.0-0ubuntu1 If the "libpam-pwquality" package is not installed, this is a finding. Verify the operating system uses "pwquality" to enforce the password complexity rules. Check for the use of "pwquality" with the following command: # cat /etc/pam.d/common-password | grep pam_pwquality password required pam_pwquality.so retry=3 If the command does not return an uncommented line containing the value "pam_pwquality.so", this is a finding. If the value of "retry" is set to "0" or greater than "3", this is a finding.

Fix Text

Configure the operating system to use "pam_pwquality" to enforce password complexity rules. Install the "libpam-pwquality" package: # sudo apt install libpam-pwquality Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value): password required pam_pwquality.so retry=3 Note: The value of "retry" should be between "1" and "3".

Additional Identifiers

Rule ID: SV-214948r610931_rule

Vulnerability ID: V-214948

Group Title: SRG-OS-000069-GPOS-00037

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.