CIS 9.3.1: default value for pam_cracklib params

I have set the dcredit ucredit, ocredit to -1 following CIS recommendation but the test fails, mostlikely due to mismatch in expected value.

pam-config -a --cracklib --cracklib-retry=3 --cracklib-minlen=14 --cracklib-dcredit=-1 --cracklib-ucredit=-1 --cracklib-ocredit=-1 --cracklib-lcredit=-1

Can you point me to the code that should be changed to fix this issue.

apspal46-221:/etc # cat /etc/pam.d/common-password #%PAM-1.0

This file is autogenerated by pam-config. All changes

will be overwritten.

Password-related modules common to all services

This file is included from other service-specific PAM config files,

and should contain a list of modules that define the services to be

used to change user passwords.

password requisite retry=3 minlen=14 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
password required remember=5
password required use_authtok nullok shadow try_first_pass
apspal46-221:/etc # grep -E “^\spassword\s+(?:required|requisite)\\s+(?:\S+\s+)ucredit=(-?\d+)(?:\s+\S+)\s$” /etc/pam.d/common-password

does not match.

I think the file to change is translated-controls.rb