{"description": "The pam_pwquality module's <tt>local_users_only</tt> parameter controls requirements for\nenforcing password complexity by pam_pwquality only for local user accounts and ignoring\ncentralized user account management password complexity configurations. Enable the <tt>local_users_only</tt>\nsetting in <tt>/etc/security/pwquality.conf</tt> to require password complexity enforcement\nfor only local user accounts.", "rationale": "The operating system must provide automated mechanisms for supporting account management\nfunctions. Enterprise environments make application account management challenging and\ncomplex. A manual process for account management functions adds the risk of a potential\noversight or other error.", "severity": "medium", "references": {"nist": ["AC-2(1)"], "srg": ["SRG-OS-000001-GPOS-00001"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "local_users_only is not uncommented or configured correctly", "ocil": "To verify if password complexities are only enforce on local users, run the following command:\n<pre>$ grep local_users_only /etc/security/pwquality.conf</pre>\nThe output should return <tt>local_users_only</tt> uncommented.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"management": "Using this rule bypasses pam_faillock's functionality and should be used in cases\nwhere centralized management such as LDAP or Active Directory is in use."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[libpwquality]", "platforms": ["package[libpwquality]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_libpwquality"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml", "template": {"name": "lineinfile", "vars": {"text": "local_users_only", "path": "/etc/security/pwquality.conf", "oval_extend_definitions": ["accounts_password_pam_pwquality"]}, "backends": {}}}