{"description": "The pam_pwquality module's <tt>difok</tt> parameter sets the number of characters\nin a password that must not be present in and old password during a password change.\n<br /><br />\nModify the <tt>difok</tt> setting in <tt>/etc/security/pwquality.conf</tt>\nto equal <sub idref=\"var_password_pam_difok\" /> to require differing characters\nwhen changing passwords.", "rationale": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength,\nis a measure of the effectiveness of a password in resisting attempts\nat guessing and brute\u2013force attacks.\n<br /><br />\nPassword complexity is one factor of several that determines how long\nit takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested\nbefore the password is compromised.\n<br /><br />\nRequiring a minimum number of different characters during password changes ensures that\nnewly changed passwords should not resemble previously compromised ones.\nNote that passwords which are changed on compromised systems will still be compromised, however.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cjis": ["5.6.2.1.1"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-5(c)", "IA-5(1)(b)", "CM-6(a)", "IA-5(4)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "srg": ["SRG-OS-000072-GPOS-00040"], "cis": ["5.3.3.2.1"], "stigid": ["UBTU-22-611040"], "stigref": ["SV-260566r1015017_rule"]}, "control_references": {"cis": ["5.3.3.2.1"], "stigid": ["UBTU-22-611040"]}, "components": [], "identifiers": {}, "ocil_clause": "the value of \"difok\" is set to less than \"<sub idref=\"var_password_pam_difok\" />\", or is commented out", "ocil": "Verify the value of the \"difok\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n<pre>$ sudo grep difok /etc/security/pwquality.conf\n\ndifok = <sub idref=\"var_password_pam_difok\" /></pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to require the change of at least <sub idref=\"var_password_pam_difok\" /> of the total number of characters when passwords are changed by setting the \"difok\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\ndifok = <sub idref=\"var_password_pam_difok\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must require the change of at least 8 characters when passwords are changed.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must require the change of at least 8 characters when passwords are changed.", "vuldiscussion": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength,\nis a measure of the effectiveness of a password in resisting attempts\nat guessing and brute\u2013force attacks.\n\nPassword complexity is one factor of several that determines how long\nit takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nRequiring a minimum number of different characters during password changes ensures that\nnewly changed passwords should not resemble previously compromised ones.\nNote that passwords which are changed on compromised systems will still be compromised, however.", "checktext": "Verify the value of the \"difok\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n$ sudo grep difok /etc/security/pwquality.conf\n\ndifok = 8\n\nIf the value of \"difok\" is set to less than \"8\", or is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to require the change of at least 8 of the total number of characters when passwords are changed by setting the \"difok\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\ndifok = 8"}}, "platform": "package[libpwquality]", "platforms": ["package[libpwquality]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_libpwquality"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure PAM Enforces Password Requirements - Minimum Different Characters", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml", "template": {"name": "accounts_password", "vars": {"variable": "difok", "operation": "greater than or equal"}, "backends": {}}}