{"description": "To configure the number of retry prompts that are permitted per-session:\nEdit the <tt>/etc/security/pwquality.conf</tt> to include\n<tt>retry=<sub idref=\"var_password_pam_retry\" /></tt>, or a lower value if site\npolicy is more restrictive. The profile requirement is a maximum of <tt>retry=<sub idref=\"var_password_pam_retry\" /></tt> prompts\nper session.", "rationale": "Setting the password retry prompts that are permitted on a per-session basis to a low value\nrequires some software, such as SSH, to re-connect. This can slow down and\ndraw additional attention to some types of password-guessing attacks. Note that this\nis different from account lockout, which is provided by the pam_faillock module.", "severity": "medium", "references": {"srg": ["SRG-OS-000069-GPOS-00037"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the value of \"retry\" is set to \"0\" or greater than \"<sub idref=\"var_password_pam_retry\" />\", or is missing", "ocil": "Verify Ubuntu 22.04 is configured to limit the \"pwquality\" retry option to <sub idref=\"var_password_pam_retry\" />.\n\nCheck for the use of the \"pwquality\" retry option in the pwquality.conf file with the following command:\n<pre>$ grep retry /etc/security/pwquality.conf</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must ensure the password complexity module in the system-auth file is configured for three retries or less.", "vuldiscussion": "Use of a complex password helps to increase the time and resources required\nto compromise the password. Password complexity, or strength, is a measure\nof the effectiveness of a password in resisting attempts at guessing and\nbrute-force attacks. \"pwquality\" enforces complex password construction\nconfiguration and has the ability to limit brute-force attacks on the\nsystem.\n\nUbuntu 22.04 uses \"pwquality\" as a mechanism to enforce password\ncomplexity. This is set in both:\n\n<tt>/etc/pam.d/password-auth</tt>\n<tt>/etc/pam.d/system-auth</tt>\n\nBy limiting the number of attempts to meet the pwquality module complexity\nrequirements before returning with an error, the system will audit abnormal\nattempts at password changes.", "checktext": "Verify Ubuntu 22.04 is configured to limit the \"pwquality\" retry option to \"3\".\n\nCheck for the use of the retry option in the security directory with the following command:\n\n<pre>$ grep -w retry /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf</pre>\n\n<pre>retry = 3</pre>\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", or is missing,\nthis is a finding.", "fixtext": "Add or update the following line in the \"/etc/security/pwquality.conf\" file\nor a file in the \"/etc/security/pwquality.conf.d/\" directory to contain the\n\"retry\" parameter:\n\n<pre>retry = 3</pre>"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session in /etc/security/pwquality.conf", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_retry/rule.yml", "template": {"name": "accounts_password", "vars": {"variable": "retry", "operation": "less than or equal", "zero_comparison_operation": "greater than"}, "backends": {}}}