{"description": "To configure the number of retry prompts that are permitted per-session:\n\nEdit the <tt>pam_pwquality.so</tt> statement in\n\n<tt>/etc/pam.d/common-password</tt> to show\n\n\n<tt>retry=<sub idref=\"var_password_pam_retry\" /></tt>, or a lower value if site\npolicy is more restrictive. The profile requirement is a maximum of <tt>retry=<sub idref=\"var_password_pam_retry\" /></tt> prompts\nper session.", "rationale": "Setting the password retry prompts that are permitted on a per-session basis to a low value\nrequires some software, such as SSH, to re-connect. This can slow down and\ndraw additional attention to some types of password-guessing attacks. Note that this\nis different from account lockout, which is provided by the pam_faillock module.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "15", "16", "3", "5", "9"], "cjis": ["5.5.3"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["CM-6(a)", "AC-7(a)", "IA-5(4)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7", "PR.IP-1"], "srg": ["SRG-OS-000069-GPOS-00037", "SRG-OS-000480-GPOS-00227"], "anssi": ["R68"], "stigid": ["UBTU-22-611045"], "stigref": ["SV-260567r991587_rule"]}, "control_references": {"anssi": ["R68"], "stigid": ["UBTU-22-611045"]}, "components": [], "identifiers": {}, "ocil_clause": "the value of \"retry\" is set to \"0\" or greater than \"<sub idref=\"var_password_pam_retry\" />\", or is missing", "ocil": "Verify Ubuntu 22.04 is configured to limit the \"pwquality\" retry option to <sub idref=\"var_password_pam_retry\" />.\n\n\nCheck for the use of the \"pwquality\" retry option in the PAM files with the following command:\n\n<pre>$ grep pam_pwquality /etc/pam.d/common-password</pre>\n\n\n<pre>password requisite pam_pwquality.so retry=<sub idref=\"var_password_pam_retry\" /></pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to limit the \"pwquality\" retry option to <sub idref=\"var_password_pam_retry\" />.\n\n\n\nAdd the following line to the \"/etc/pam.d/common-password\" file (or modify the line to have the required value):\n\npassword requisite pam_pwquality.so retry=<sub idref=\"var_password_pam_retry\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "'Ubuntu 22.04 must ensure the password complexity module in the system-auth file is configured for three retries or less.'", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must ensure the password complexity module in the system-auth file is configured for three retries or less.", "vuldiscussion": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nUbuntu 22.04 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.", "checktext": "Verify Ubuntu 22.04 is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option in the system-auth file with the following command:\n\n$ cat /etc/pam.d/system-auth | grep pam_pwquality\n\npassword required pam_pwquality.so retry=3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", or is missing, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/pam.d/system-auth\" file (or modify the line to have the required value):\n\npassword required pam_pwquality.so retry=3"}}, "platform": "package[libpwquality]", "platforms": ["package[libpwquality]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_libpwquality"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml", "template": null}