{"description": "The pam_pwquality module's <tt>minclass</tt> parameter controls\nrequirements for usage of different character classes, or types, of character\nthat must exist in a password before it is considered valid. For example,\nsetting this value to three (3) requires that any password must have characters\nfrom at least three different categories in order to be approved. The default\nvalue is zero (0), meaning there are no required classes. There are four\ncategories available:\n<pre>\n* Upper-case characters\n* Lower-case characters\n* Digits\n* Special characters (for example, punctuation)\n</pre>\nModify the <tt>minclass</tt> setting in <tt>/etc/security/pwquality.conf</tt> entry\nto require <sub idref=\"var_password_pam_minclass\" />\ndiffering categories of characters when changing passwords.", "rationale": "Use of a complex password helps to increase the time and resources required to compromise the password.\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts\nat guessing and brute-force attacks.\n<br /><br />\nPassword complexity is one factor of several that determines how long it takes to crack a password. The\nmore complex the password, the greater the number of possible combinations that need to be tested before\nthe password is compromised.\n<br /><br />\nRequiring a minimum number of character categories makes password guessing attacks more difficult\nby ensuring a larger search space.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-5(c)", "IA-5(1)(a)", "CM-6(a)", "IA-5(4)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "srg": ["SRG-OS-000072-GPOS-00040"], "anssi": ["R68"], "cis": ["5.3.3.2.3"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"]}, "control_references": {"anssi": ["R68"], "cis": ["5.3.3.2.3"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"]}, "components": [], "identifiers": {}, "ocil_clause": "the value of \"minclass\" is set to less than \"<sub idref=\"var_password_pam_minclass\" />\" or is commented out", "ocil": "Verify the value of the \"minclass\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n<pre>$ grep minclass /etc/security/pwquality.conf\n\nminclass = <sub idref=\"var_password_pam_minclass\" /></pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to require the change of at least <sub idref=\"var_password_pam_minclass\" /> character classes when passwords are changed by setting the \"minclass\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nminclass = <sub idref=\"var_password_pam_minclass\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must require the change of at least four character classes when passwords are changed.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must require the change of at least four character classes when passwords are changed.", "vuldiscussion": "Use of a complex password helps to increase the time and resources required to compromise the password.\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting\nattempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The\nmore complex a password, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", "checktext": "Verify the value of the \"minclass\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n$ grep minclass /etc/security/pwquality.conf\n\nminclass = 4\n\nIf the value of \"minclass\" is set to less than \"4\" or is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to require the change of at least 4 character classes when passwords are changed by setting the \"minclass\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nminclass = 4"}}, "platform": "package[libpwquality]", "platforms": ["package[libpwquality]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_libpwquality"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure PAM Enforces Password Requirements - Minimum Different Categories", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml", "template": {"name": "accounts_password", "vars": {"variable": "minclass", "operation": "greater than or equal"}, "backends": {}}}