{"description": "The pam_cracklib module's <tt>retry</tt> parameter controls the maximum\nnumber of times to prompt the user for the password before returning\nwith error. Make sure it is configured with a value that is no more than\n<sub idref=\"var_password_pam_retry\" />. For example, <tt>retry=1</tt>.", "rationale": "To reduce opportunities for successful guesses and brute-force attacks.", "severity": "medium", "references": {"pcidss": ["Req-8.1.6", "Req-8.1.7"], "srg": ["SRG-OS-000480-GPOS-00225"], "pcidss4": ["8.3.4", "8.3"]}, "control_references": {"pcidss4": ["8.3.4", "8.3"]}, "components": [], "identifiers": {}, "ocil_clause": "retry is not found or not set to the required value (or lower)", "ocil": "Check the password retry limit with the following command:\n\n<pre># grep pam_cracklib.so /etc/pam.d/common-password\npassword requisite pam_cracklib.so retry=<sub idref=\"var_password_pam_retry\" /></pre>\n\nIf the command does not return anything, or the returned line is\ncommented out, this is a finding.\n\nIf the value of retry is greater than\n<tt><sub idref=\"var_password_pam_retry\" /></tt>, this is a finding.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set Password Retry Limit", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml", "template": {"name": "pam_options", "vars": {"path": "/etc/pam.d/common-password", "type": "password", "control_flag": "requisite", "module": "pam_cracklib.so", "arguments": [{"variable": "retry", "operation": "less than or equal"}]}, "backends": {}}}