Quick question to see what the community does for V-73159 (retry=3 on
pam_pwquality.so line)

It was brought to my attention that my internal STIG documentation was
setting the following in /etc/pam.d/system-auth

password    requisite     pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=

But, the V-73159 fix text was using the “required” keyword instead of the

I think the default line in system-auth, before being secured, uses
“requisite”.   So, I left it alone and simply made sure the retry=3 was
set.   It is my understanding from the man pam.conf page that the requisite
key is similar to required but immediately returns the failure, that is, it
is more strict than the “required” keyword.

Is the fix text example in V-73159 just that, an example?  Or is it a
hard/fast rule to pass the STIG check with auditors to match the fix text?

Thanks in advance

Open-scap-list mailing list

Reply via email to