[Open-scap] V-73159 - Question on requisite vs required in pam.d/system-auth
Marek Haicman
mhaicman at redhat.com
Thu Feb 14 17:21:32 UTC 2019
Hello, according to the v2r2, the check is supposed to be:
```
# cat /etc/pam.d/system-auth | grep pam_pwquality
password required pam_pwquality.so retry=3
If the command does not return an uncommented line containing the value
"pam_pwquality.so", this is a finding.
If the value of "retry" is set to "0" or greater than "3", this is a
finding.
```
and there's nothing about `required`. So it's up to your setup, I believe.
HTH,
Marek
On 2/13/19 11:19 PM, Robert Hayden wrote:
> Quick question to see what the community does for V-73159 (retry=3 on
> pam_pwquality.so line)
>
> It was brought to my attention that my internal STIG documentation was
> setting the following in /etc/pam.d/system-auth
>
> password requisite pam_pwquality.so try_first_pass local_users_only
> retry=3 authtok_type=
>
> But, the V-73159 fix text was using the “required” keyword instead of
> the “requisite”.
>
> I think the default line in system-auth, before being secured, uses
> “requisite”. So, I left it alone and simply made sure the retry=3 was
> set. It is my understanding from the man pam.conf page that the
> requisite key is similar to required but immediately returns the
> failure, that is, it is more strict than the “required” keyword.
>
> Is the fix text example in V-73159 just that, an example? Or is it a
> hard/fast rule to pass the STIG check with auditors to match the fix text?
>
> Thanks in advance
>
> Robert
>
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
>
More information about the Open-scap-list
mailing list