Hello, according to the v2r2, the check is supposed to be:
```
# cat /etc/pam.d/system-auth | grep pam_pwquality
password required pam_pwquality.so retry=3
If the command does not return an uncommented line containing the value
"pam_pwquality.so", this is a finding.
If the value of "retry" is set to "0" or greater than "3", this is a
finding.
```
and there's nothing about `required`. So it's up to your setup, I believe.
HTH,
Marek
On 2/13/19 11:19 PM, Robert Hayden wrote:
Quick question to see what the community does for V-73159 (retry=3 on
pam_pwquality.so line)
It was brought to my attention that my internal STIG documentation was
setting the following in /etc/pam.d/system-auth
password requisite pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
But, the V-73159 fix text was using the “required” keyword instead of
the “requisite”.
I think the default line in system-auth, before being secured, uses
“requisite”. So, I left it alone and simply made sure the retry=3 was
set. It is my understanding from the man pam.conf page that the
requisite key is similar to required but immediately returns the
failure, that is, it is more strict than the “required” keyword.
Is the fix text example in V-73159 just that, an example? Or is it a
hard/fast rule to pass the STIG check with auditors to match the fix text?
Thanks in advance
Robert
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
