On 2/14/19 12:21 PM, Marek Haicman wrote:
Hello, according to the v2r2, the check is supposed to be:
# cat /etc/pam.d/system-auth | grep pam_pwquality

password required pam_pwquality.so retry=3

If the command does not return an uncommented line containing the value "pam_pwquality.so", this is a finding.

If the value of "retry" is set to "0" or greater than "3", this is a finding.
and there's nothing about `required`. So it's up to your setup, I believe.

Exactly. There's nuance there.

The DISA content is ensuring pam_pwquality is being used, and retry has an appropriate value.

requisite or required is not part of the check... just example of how things could be setup.

Open-scap-list mailing list

Reply via email to