Check: RHEL-09-611040
RHEL 9 STIG:
RHEL-09-611040
(in versions v1 r3 through v1 r1)
Title
RHEL 9 must ensure the password complexity module is enabled in the password-auth file. (Cat II impact)
Discussion
Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks. Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000480-GPOS-00227
Check Content
Verify RHEL 9 uses "pwquality" to enforce the password complexity rules in the password-auth file with the following command: $ cat /etc/pam.d/password-auth | grep pam_pwquality password required pam_pwquality.so If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.
Fix Text
Configure RHEL 9 to use "pwquality" to enforce password complexity rules. Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value): password required pam_pwquality.so
Additional Identifiers
Rule ID: SV-258097r926278_rule
Vulnerability ID: V-258097
Group Title: SRG-OS-000069-GPOS-00037
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000192 |
The information system enforces password complexity by the minimum number of upper case characters used. |
| CCI-000193 |
The information system enforces password complexity by the minimum number of lower case characters used. |
| CCI-000366 |
The organization implements the security configuration settings. |