Hello, according to the v2r2, the check is supposed to be:
```
# cat /etc/pam.d/system-auth | grep pam_pwquality

password required pam_pwquality.so retry=3

If the command does not return an uncommented line containing the value "pam_pwquality.so", this is a finding.

If the value of "retry" is set to "0" or greater than "3", this is a finding.
```
and there's nothing about `required`. So it's up to your setup, I believe.

HTH,
Marek

On 2/13/19 11:19 PM, Robert Hayden wrote:
Quick question to see what the community does for V-73159 (retry=3 on pam_pwquality.so line)

It was brought to my attention that my internal STIG documentation was setting the following in /etc/pam.d/system-auth

password    requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

But, the V-73159 fix text was using the “required” keyword instead of the “requisite”.

I think the default line in system-auth, before being secured, uses “requisite”.   So, I left it alone and simply made sure the retry=3 was set.   It is my understanding from the man pam.conf page that the requisite key is similar to required but immediately returns the failure, that is, it is more strict than the “required” keyword.

Is the fix text example in V-73159 just that, an example?  Or is it a hard/fast rule to pass the STIG check with auditors to match the fix text?

Thanks in advance

Robert


_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list


_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to