CCE-95046-9Platform: cpe:/o:debian:debian_linux:11.x, cpe:/o:ubuntu:ubuntu_linux:20.04, cpe:/o:ubuntu:ubuntu_linux:22.04, cpe:/o:ubuntu:ubuntu_linux:23.04 | Date: (C)2020-10-15 (M)2023-09-01 |
The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options.
* retry=3 - Allow 3 tries before sending back a failure.
* minlen=14 - password must be 14 characters or more
* dcredit=-1 - provide at least one digit
* ucredit=-1 - provide at least one uppercase character
* ocredit=-1 - provide at least one special character
* lcredit=-1 - provide at least one lowercase character
* enforcing=1 - will force user to follow the password policy rule
The setting shown above is one possible policy. Alter these values to conform to your own organizations password policies.
Rationale:
Strong passwords protect systems from being hacked through brute force methods.
Fix:
Set the following parameters as mentioned below in /etc/security/pwquality.conf:
minlen=14
dcredit=-1
ucredit=-1
ocredit=-1
lcredit=-1
enforcing=1
Set retry paramter as following in /etc/pam.d/common-password:
password required pam_cracklib.so retry=3
Parameter:
[-2/-1/0, -2/-1/0, -2/-1/0, -2/-1/0, 3 attempts, minimum length 14 or more]
Technical Mechanism:
Set the following parameters as mentioned below in /etc/security/pwquality.conf:
minlen=14
dcredit=-1
ucredit=-1
ocredit=-1
lcredit=-1
enforcing=1
Set retry paramter as following in /etc/pam.d/common-password:
password required pam_cracklib.so retry=3
CCSS Severity: | CCSS Metrics: |
CCSS Score : 9.8 | Attack Vector: NETWORK |
Exploit Score: 3.9 | Attack Complexity: LOW |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: CRITICAL | User Interaction: NONE |
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:85122 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:92190 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:65958 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:87305 |