{"description": "The pam_pwquality module's <tt>maxclassrepeat</tt> parameter controls requirements for\nconsecutive repeating characters from the same character class. When set to a positive number, it will reject passwords\nwhich contain more than that number of consecutive characters from the same character class. Modify the\n<tt>maxclassrepeat</tt> setting in <tt>/etc/security/pwquality.conf</tt> to equal <sub idref=\"var_password_pam_maxclassrepeat\" />\nto prevent a run of (<sub idref=\"var_password_pam_maxclassrepeat\" /> + 1) or more identical characters.", "rationale": "Use of a complex password helps to increase the time and resources required to compromise the password.\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting\nattempts at guessing and brute-force attacks.\n<br />\nPassword complexity is one factor of several that determines how long it takes to crack a password. The\nmore complex a password, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-5(c)", "IA-5(1)(a)", "CM-6(a)", "IA-5(4)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "srg": ["SRG-OS-000072-GPOS-00040", "SRG-OS-000730-GPOS-00190"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the value of \"maxclassrepeat\" is set to \"0\", more than \"<sub idref=\"var_password_pam_maxclassrepeat\" />\" or is commented out", "ocil": "Verify the value of the \"maxclassrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n<pre>$ grep maxclassrepeat /etc/security/pwquality.conf\n\nmaxclassrepeat = <sub idref=\"var_password_pam_maxclassrepeat\" /></pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to require the change of the number of repeating characters of the same character class when passwords are changed by setting the \"maxclassrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" conf (or modify the line to have the required value):\n\nmaxclassrepeat = <sub idref=\"var_password_pam_maxclassrepeat\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.", "vuldiscussion": "Use of a complex password helps to increase the time and resources required to compromise the password.\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting\nattempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The\nmore complex a password, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", "checktext": "Verify the value of the \"maxclassrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n$ grep maxclassrepeat /etc/security/pwquality.conf\n\nmaxclassrepeat = 4\n\nIf the value of \"maxclassrepeat\" is set to \"0\", more than \"4\" or is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to require the change of the number of repeating characters of the same character class when passwords are changed by setting the \"maxclassrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" conf (or modify the line to have the required value):\n\nmaxclassrepeat = 4"}}, "platform": "package[libpwquality]", "platforms": ["package[libpwquality]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_libpwquality"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml", "template": {"name": "accounts_password", "vars": {"variable": "maxclassrepeat", "operation": "less than or equal", "zero_comparison_operation": "greater than"}, "backends": {}}}