This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

Ubuntu 22.04 LTS must be configured so that when passwords are changed or new passwords are established, pwquality must be used.

STIG ID: UBTU-22-611045  |  SRG: SRG-OS-000480-GPOS-00225 |  Severity: medium (CAT II)  |  CCI: CCI-000366 |  Vulnerability Id: V-260567

Vulnerability Discussion

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.

Check

Verify Ubuntu 22.04 LTS enforces password complexity rules by using the following command:

$ grep -i enforcing /etc/security/pwquality.conf
enforcing = 1

If "enforcing" is not "1", is commented out, or is missing, this is a finding.

Check for the use of "pwquality" by using the following command:

$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality
password requisite pam_pwquality.so retry=3

If "retry" is set to "0" or is greater than "3", or is missing, this is a finding.

Fix

Configure Ubuntu 22.04 LTS to enforce password complexity rules.

Add or modify the following line in the "/etc/security/pwquality.conf" file:

enforcing = 1

Add or modify the following line in the "/etc/pam.d/common-password" file:

password requisite pam_pwquality.so retry=3

Note: The value of "retry" should be between "1" and "3".
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.