CIS 9.3.1: default value for pam_cracklib params

kallol · October 25, 2016, 7:06pm

I have set the dcredit ucredit, ocredit to -1 following CIS recommendation but the test fails, mostlikely due to mismatch in expected value.

pam-config -a --cracklib --cracklib-retry=3 --cracklib-minlen=14 --cracklib-dcredit=-1 --cracklib-ucredit=-1 --cracklib-ocredit=-1 --cracklib-lcredit=-1

Can you point me to the code that should be changed to fix this issue.

kallol · October 25, 2016, 7:32pm

apspal46-221:/etc # cat /etc/pam.d/common-password #%PAM-1.0

This file is autogenerated by pam-config. All changes

will be overwritten.

Password-related modules common to all services

This file is included from other service-specific PAM config files,

and should contain a list of modules that define the services to be

used to change user passwords.

password requisite pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
password required pam_pwhistory.so remember=5
password required pam_unix.so use_authtok nullok shadow try_first_pass
apspal46-221:/etc # grep -E “^\spassword\s+(?:required|requisite)\s+pam_cracklib.so\s+(?:\S+\s+)ucredit=(-?\d+)(?:\s+\S+)\s$” /etc/pam.d/common-password

does not match.

I think the file to change is translated-controls.rb

Topic		Replies	Views
Idempotentation in chef Chef Automate	6	679	March 13, 2019
ChefDK PowerShell DSC xComputerManager and ps_credential Chef Infra (archive)	0	1088	October 3, 2016
Re: Solaris (sparc and i86) error while password change Chef Infra (archive)	4	413	July 16, 2014
Broken "not_if" in "assign-postgres-password" in "recipes/server.rb" in "opscode-cookbooks/postgresql" Chef Infra (archive)	0	252	January 5, 2013
Change cassandra password through chef Chef Infra (archive)	0	400	May 17, 2018