Amazon Linux 2023 must ensure the password complexity module is enabled in the password-auth file.

STIG ID: AZLX-23-002489  |  SRG: SRG-OS-000069-GPOS-00037 |  Severity: medium (CAT II)  |  CCI: CCI-004066,CCI-000192,CCI-000193 |  Vulnerability Id: V-274161

Vulnerability Discussion

Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.

Check

Verify Amazon Linux 2023 uses "pwquality" to enforce the password complexity rules in the password-auth file with the following command:

$ grep pam_pwquality /etc/pam.d/password-auth
password required pam_pwquality.so

If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.

If the system administrator can demonstrate that the required configuration is contained in a PAM configuration file included or substacked from the system-auth file, this is not a finding.

Fix

Configure Amazon Linux 2023 to use "pwquality" to enforce password complexity rules.

Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value):

password required pam_pwquality.so
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.