{"description": "The pam_pwquality module's <tt>minlen</tt> parameter controls requirements for\nminimum characters required in a password. Add <tt>minlen=<sub idref=\"var_password_pam_minlen\" /></tt>\nafter pam_pwquality to set minimum password length requirements.", "rationale": "The shorter the password, the lower the number of possible combinations\nthat need to be tested before the password is compromised.\n<br />\nPassword complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength\nand how long it takes to crack a password. Use of more characters in a password\nhelps to exponentially increase the time and/or resources required to\ncompromise the password.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cjis": ["5.6.2.1.1"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-5(c)", "IA-5(1)(a)", "CM-6(a)", "IA-5(4)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "ospp": ["FMT_SMF_EXT.1"], "pcidss": ["Req-8.2.3"], "srg": ["SRG-OS-000078-GPOS-00046"], "anssi": ["R31", "R68"], "cis": ["5.3.3.2.2"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"], "pcidss4": ["8.3.6", "8.3"], "stigid": ["UBTU-22-611035"], "stigref": ["SV-260565r1015016_rule"]}, "control_references": {"anssi": ["R31", "R68"], "cis": ["5.3.3.2.2"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"], "pcidss4": ["8.3.6", "8.3"], "stigid": ["UBTU-22-611035"]}, "components": [], "identifiers": {}, "ocil_clause": "the command does not return a \"minlen\" value of \"<sub idref=\"var_password_pam_minlen\" />\" or greater, does not return a line, or the line is commented out", "ocil": "Verify that Ubuntu 22.04 enforces a minimum <sub idref=\"var_password_pam_minlen\" />-character password length with the following command:\n\n<pre>$ grep minlen /etc/security/pwquality.conf\n\nminlen = <sub idref=\"var_password_pam_minlen\" /></pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to enforce a minimum <sub idref=\"var_password_pam_minlen\" />-character password length.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nminlen = <sub idref=\"var_password_pam_minlen\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 passwords must be created with a minimum of 15 characters.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 passwords must be created with a minimum of 15 characters.", "vuldiscussion": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.\n\nUbuntu 22.04 utilizes \"pwquality\" as a mechanism to enforce password complexity. Configurations are set in the \"etc/security/pwquality.conf\" file.\n\nThe \"minlen\", sometimes noted as minimum length, acts as a \"score\" of complexity based on the credit components of the \"pwquality\" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total \"score\" of \"minlen\". This will enable \"minlen\" to require a 15-character minimum.\n\nThe DoD minimum password requirement is 15 characters.", "checktext": "Verify that Ubuntu 22.04 enforces a minimum 15-character password length with the following command:\n\n$ grep minlen /etc/security/pwquality.conf\n\nminlen = 15\n\nIf the command does not return a \"minlen\" value of \"15\" or greater, does not return a line, or the line is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to enforce a minimum 15-character password length.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nminlen = 15"}}, "platform": "package[libpwquality]", "platforms": ["package[libpwquality]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_libpwquality"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure PAM Enforces Password Requirements - Minimum Length", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml", "template": {"name": "accounts_password", "vars": {"variable": "minlen", "operation": "greater than or equal"}, "backends": {}}}