<div dir="ltr">


















<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">Quick question to see what the community does for V-73159
(retry=3 on pam_pwquality.so line)<span></span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">It was brought to my attention that my internal STIG
documentation was setting the following in /etc/pam.d/system-auth<span></span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">password    requisite    
pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=<span></span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">But, the V-73159 fix text was using the “required” keyword
instead of the “requisite”.<span></span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">I think the default line in system-auth, before being
secured, uses “requisite”.   So, I left it alone and simply made sure
the retry=3 was set.   It is my understanding from the man pam.conf
page that the requisite key is similar to required but immediately returns the
failure, that is, it is more strict than the “required” keyword.<span></span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">Is the fix text example in V-73159 just that, an
example?  Or is it a hard/fast rule to pass the STIG check with auditors
to match the fix text?<span></span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">Thanks in advance<span></span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">Robert<span></span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span> </span></p>





</div>