Profile Applicability:
 • Level 1

Description:
 The pam_pwquality module enforces password quality requirements such as complexity, length, and dictionary checks. Enabling this module strengthens password policies and enhances overall system authentication security.

Rationale:
 Using 
pam_pwquality prevents users from selecting weak passwords, reducing the risk of compromise through simple or easily guessable credentials.

Impact:
 Pros:

  • Enforces strong password complexity and quality.

  • Supports compliance with security standards.

Cons:

  • May require user education on password requirements.

  • Misconfiguration can cause authentication issues.

Default Value:
 
pam_pwquality may not be enabled by default on all systems.

Pre-requisites:

  • Root or sudo privileges to modify PAM configuration files.

Remediation:

Test Plan:

Using Linux command line:

1. Check PAM configuration files (e.g., /etc/pam.d/system-auth/etc/pam.d/password-auth) for pam_pwquality usage:

grep pam_pwquality /etc/pam.d/system-auth /etc/pam.d/password-auth

2. Verify that the module is enabled.

Implementation Plan:

Using Linux command line:

1. Edit PAM configuration files to include pam_pwquality, for example:

password requisite pam_pwquality.so retry=3

2. Save changes.

Backout Plan:

Using Linux command line:

  1. Remove or comment out pam_pwquality entries if necessary.

  2. Test password change and authentication behavior.

References: