{"description": "The pam_pwquality module's <tt>enforce_for_root</tt> parameter controls requirements for\nenforcing password complexity for the root user. Enable the <tt>enforce_for_root</tt>\nsetting in <tt>/etc/security/pwquality.conf</tt> to require the <tt>root</tt> user\nto use complex passwords.", "rationale": "Use of a complex password helps to increase the time and resources required to compromise\nthe password. Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a\npassword. The more complex the password, the greater the number of possible combinations\nthat need to be tested before the password is compromised.", "severity": "medium", "references": {"nist": ["IA-5(c)", "IA-5(1)(a)", "CM-6(a)", "IA-5(4)"], "srg": ["SRG-OS-000072-GPOS-00040", "SRG-OS-000071-GPOS-00039", "SRG-OS-000070-GPOS-00038", "SRG-OS-000266-GPOS-00101", "SRG-OS-000078-GPOS-00046", "SRG-OS-000480-GPOS-00225", "SRG-OS-000069-GPOS-00037"], "cis": ["5.3.3.2.8"]}, "control_references": {"cis": ["5.3.3.2.8"]}, "components": [], "identifiers": {}, "ocil_clause": "\"enforce_for_root\" is commented or missing", "ocil": "Verify that Ubuntu 22.04 enforces password complexity rules for the root account.\n\nCheck if root user is required to use complex passwords with the following command:\n\n<pre>$ grep enforce_for_root /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf\n\n/etc/security/pwquality.conf:enforce_for_root</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to enforce password complexity on the root account.\n\nAdd or update the following line in /etc/security/pwquality.conf:\n\nenforce_for_root", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must enforce password complexity rules for the root account.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must enforce password complexity rules for the root account.", "vuldiscussion": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.", "checktext": "Verify that Ubuntu 22.04 enforces password complexity rules for the root account.\n\nCheck if root user is required to use complex passwords with the following command:\n\n$ grep enforce_for_root /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf\n\n/etc/security/pwquality.conf:enforce_for_root\n\nIf \"enforce_for_root\" is commented or missing, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to enforce password complexity on the root account.\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file or a configuration file in the \"/etc/security/pwquality.conf.d/\" directory to contain the \"enforce_for_root\" parameter:\n\nenforce_for_root"}}, "platform": "package[libpwquality]", "platforms": ["package[libpwquality]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_libpwquality"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure PAM Enforces Password Requirements - Enforce for root User", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml", "template": {"name": "lineinfile", "vars": {"text": "enforce_for_root", "path": "/etc/security/pwquality.conf"}, "backends": {"oval": "off"}}}