Rule ID
SV-269387r1050270_rule
Version
V1R6
CCIs
AlmaLinux OS 9 uses "pwquality" as a mechanism to enforce password complexity. This is set in both: /etc/pam.d/password-auth /etc/pam.d/system-auth By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.
Verify AlmaLinux OS 9 is configured to limit the "pwquality" retry option to "3". Check for the use of the "pwquality" retry option in the PAM auth files with the following command: $ grep pam_pwquality.so /etc/pam.d/system-auth /etc/pam.d/password-auth /etc/pam.d/system-auth:password required pam_pwquality.so retry=3 /etc/pam.d/password-auth:password required pam_pwquality.so retry=3 If the value of "retry" is set to "0" or greater than "3", or is missing from either, this is a finding. If the system administrator (SA) can demonstrate that the required configuration is contained in a PAM configuration file included or substacked from the system-auth file, this is not a finding.
Configure AlmaLinux OS 9 to limit the "pwquality" retry option to "3". Add the following line to the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files (or modify the line to have the required value): password required pam_pwquality.so retry=3