Profile Applicability:
• Level 1
Description:
The pam_pwquality module enforces password quality requirements such as complexity, length, and dictionary checks. Enabling this module strengthens password policies and enhances overall system authentication security.
Rationale:
Using pam_pwquality prevents users from selecting weak passwords, reducing the risk of compromise through simple or easily guessable credentials.
Impact:
Pros:
Enforces strong password complexity and quality.
Supports compliance with security standards.
Cons:
May require user education on password requirements.
Misconfiguration can cause authentication issues.
Default Value:
pam_pwquality may not be enabled by default on all systems.
Pre-requisites:
Root or sudo privileges to modify PAM configuration files.
Remediation:
Test Plan:
Using Linux command line:
1. Check PAM configuration files (e.g., /etc/pam.d/system-auth, /etc/pam.d/password-auth) for pam_pwquality usage:
grep pam_pwquality /etc/pam.d/system-auth /etc/pam.d/password-auth
2. Verify that the module is enabled.
Implementation Plan:
Using Linux command line:
1. Edit PAM configuration files to include pam_pwquality, for example:
password requisite pam_pwquality.so retry=3
2. Save changes.
Backout Plan:
Using Linux command line:
Remove or comment out pam_pwquality entries if necessary.
Test password change and authentication behavior.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
pam_pwquality Manual