{"description": "The pam_pwquality module's <tt>dcredit</tt> parameter controls requirements for\nusage of digits in a password. When set to a negative number, any password will be required to\ncontain that many digits. When set to a positive number, pam_pwquality will grant +1 additional\nlength credit for each digit. Modify the <tt>dcredit</tt> setting in\n<tt>/etc/security/pwquality.conf</tt> to require the use of a digit in passwords.", "rationale": "Use of a complex password helps to increase the time and resources required\nto compromise the password. Password complexity, or strength, is a measure of\nthe effectiveness of a password in resisting attempts at guessing and brute-force\nattacks.\n<br /><br />\nPassword complexity is one factor of several that determines how long it takes\nto crack a password. The more complex the password, the greater the number of\npossible combinations that need to be tested before the password is compromised.\nRequiring digits makes password guessing attacks more difficult by ensuring a larger\nsearch space.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-5(c)", "IA-5(1)(a)", "CM-6(a)", "IA-5(4)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "ospp": ["FMT_SMF_EXT.1"], "pcidss": ["Req-8.2.3"], "srg": ["SRG-OS-000071-GPOS-00039"], "anssi": ["R31"], "cis": ["5.3.3.2.3"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"], "pcidss4": ["8.3.6", "8.3"], "stigid": ["UBTU-22-611020"], "stigref": ["SV-260562r1015014_rule"]}, "control_references": {"anssi": ["R31"], "cis": ["5.3.3.2.3"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"], "pcidss4": ["8.3.6", "8.3"], "stigid": ["UBTU-22-611020"]}, "components": [], "identifiers": {}, "ocil_clause": "the value of \"dcredit\" is a positive number or is commented out", "ocil": "Verify that Ubuntu 22.04 enforces password complexity by requiring that at least one numeric character be used.\n\nCheck the value for \"dcredit\" with the following command:\n\n<pre>$ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf\n\n/etc/security/pwquality.conf:dcredit = <sub idref=\"var_password_pam_dcredit\" /></pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to enforce password complexity by requiring that at least one numeric character be used by setting the \"dcredit\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\ndcredit = <sub idref=\"var_password_pam_dcredit\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must enforce password complexity by requiring that at least one numeric character be used.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must enforce password complexity by requiring that at least One numeric character be used.", "vuldiscussion": "Use of a complex password helps to increase the time and resources required\nto compromise the password. Password complexity, or strength, is a measure of\nthe effectiveness of a password in resisting attempts at guessing and brute-force\nattacks.\n\n\n\nPassword complexity is one factor of several that determines how long it takes\nto crack a password. The more complex the password, the greater the number of\npossible combinations that need to be tested before the password is compromised.\nRequiring digits makes password guessing attacks more difficult by ensuring a larger\nsearch space.", "checktext": "Verify that Ubuntu 22.04 enforces password complexity by requiring that at least one numeric character.\n\nCheck the value for \"dcredit\" with the following command:\n\n$ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf/*.conf\n\n/etc/security/pwquality.conf:dcredit = -1\n\nIf the value of \"dcredit\" is a positive number or is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to enforce password complexity by requiring that at least one numeric character be used by setting the \"dcredit\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\ndcredit = -1"}}, "platform": "package[libpwquality]", "platforms": ["package[libpwquality]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_libpwquality"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure PAM Enforces Password Requirements - Minimum Digit Characters", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml", "template": {"name": "accounts_password", "vars": {"variable": "dcredit", "operation": "less than or equal"}, "backends": {}}}