content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

5.4.1 Ensure password creation requirements are configured (Scored)

Open shawndwells opened this issue 5 years ago • 3 comments

Will require breaking down into individual rules

shawndwells avatar Mar 29 '20 04:03 shawndwells

Only rule for try_first_pass is needed, others are covered by:

  • accounts_password_pam_retry
  • accounts_password_pam_minlen
  • accounts_password_pam_minclass

yuumasato avatar May 19 '20 21:05 yuumasato

Can we reopen this one? The try_first_pass rule was never implemented so we haven't fully met this control.

alexhaydock avatar Aug 05 '21 08:08 alexhaydock

I confirmed this rule is missing.

marcusburghardt avatar Jul 15 '22 08:07 marcusburghardt

I reserved some time to investigate this case today and here are some information from the analysis.

I have checked RHEL7, RHEL8, RHEL9 and Fedora systems and confirmed the pam_pwquality.so is, by default, always the first module in the password stack. I also didn't find any realistic demand to include another module before it. Therefore, try_first_pass option is useless in pam_pwquality.so. This option is also not available in pwquality.conf file and is not part of default authselect profiles.

I already proposed to remove it from the description and audit sections in CIS Benchmark. https://workbench.cisecurity.org/sections/1149671/recommendations/1873468 https://workbench.cisecurity.org/sections/1619100/recommendations/2856243

marcusburghardt avatar Mar 07 '23 08:03 marcusburghardt