On 2/14/19 12:21 PM, Marek Haicman wrote:
Hello, according to the v2r2, the check is supposed to be:
# cat /etc/pam.d/system-auth | grep pam_pwquality
password required pam_pwquality.so retry=3
If the command does not return an uncommented line containing the
value "pam_pwquality.so", this is a finding.
If the value of "retry" is set to "0" or greater than "3", this is a
and there's nothing about `required`. So it's up to your setup, I believe.
Exactly. There's nuance there.
The DISA content is ensuring pam_pwquality is being used, and retry has
an appropriate value.
requisite or required is not part of the check... just example of how
things could be setup.
Open-scap-list mailing list