{"description": "The pam_cracklib module's <tt>dcredit</tt> parameter controls requirements\nfor usage of digits in a password. When set to a negative number, any\npassword will be required to contain that many digits. When set to a\npositive number, pam_cracklib will grant +1 additional length credit for\neach digit. Add <tt>dcredit=-1</tt> after pam_cracklib.so to require use of\na digit in passwords.", "rationale": "Requiring digits makes password guessing attacks more difficult by ensuring\na larger search space.", "severity": "medium", "references": {"pcidss": ["Req-8.2.3"], "srg": ["SRG-OS-000071-GPOS-00039"], "anssi": ["R31"], "pcidss4": ["8.3.6", "8.3"]}, "control_references": {"anssi": ["R31"], "pcidss4": ["8.3.6", "8.3"]}, "components": [], "identifiers": {}, "ocil_clause": "dcredit is not found or not set to the required value", "ocil": "To check how many digits are required in a password, run the following\ncommand:\n<pre># grep pam_cracklib /etc/pam.d/common-password\npassword requisite pam_cracklib.so dcredit=<sub idref=\"var_password_pam_dcredit\" /></pre>\nThe <tt>dcredit</tt> parameter (as a negative number) will indicate how\nmany digits are required.\nThe profile requires at least <sub idref=\"var_password_pam_dcredit\" /> digit in a password.\nThis would appear as <tt>dcredit=-<sub idref=\"var_password_pam_dcredit\" /></tt>.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set Password Strength Minimum Digit Characters", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml", "template": {"name": "pam_options", "vars": {"path": "/etc/pam.d/common-password", "type": "password", "control_flag": "requisite", "module": "pam_cracklib.so", "arguments": [{"variable": "dcredit", "operation": "less than or equal"}]}, "backends": {}}}