Linux password strength, pam_cracklib, and Nessus compliance checks

Need to update your Linux password policy for better security and/or regulatory compliance (NERC CIP-006 R5.3, perhaps)? In many Linux systems, pam_cracklib is used to enforce password strength requirements but the default settings can be a little confusing. In this post, we’ll demystify some of the options for this handy little library and show how we can use the Nessus compliance checks to audit its settings.

Let’s start off with some background. PAM is an acronym that stands for Pluggable Authentication Module and is basically a framework used for authenticating users to various applications. pam_cracklib is a part of PAM that, according to the man page, “can be plugged into the password stack of a given application to provide some plug-in strength-checking for passwords.” The man page also describes the default behavior and the various options available for customization. PAM and pam_cracklib do many interesting things outside the scope of this discussion. For now we’ll focus simply on the length and complexity requirements.

You’ll find the system-wide settings for pam_cracklib either in /etc/pam.d/system-auth or /etc/pam.d/common-password depending on your Linux distribution. I’ll go ahead and issue this warning now – changes made to this file take place immediately so please be careful.

The default pam_cracklib options will look something like this:

 

password requisite pam_cracklib.so retry=3 minlen=6 difok=3
This tells us that the user will get three opportunities to enter the password before an error occurs, the minimum password length is six characters, and that there needs to be at least three differing characters between an old and new password for it to be accepted. Those are interesting and valuable settings, but there are other unseen defaults that dictate complexity using a “credit system”. The pam_cracklib module uses the concept of credits to essentially allow use of more complex but shorter passwords. I’ll save my password length vs. complexity philosophy for another post but for now let’s just say that this can be confusing for an end user. So what I’ll show you is a set of simple options that requires complexity but bypasses the credit system for a very straightforward password policy. Adding the options for dcredit, ucredit, lcredit, and ocredit, we can enforce a policy that requires at least one of each of these respective character types: digit, upper, lower, and other (or special).

password requisite pam_cracklib.so retry=3 minlen=8 difok=3 retry=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1

Using positive values for the credit options enacts the credit system; using negative values simply requires that number of characters of that type (i.e., a value of 1 means give one credit for this type of character, a value of -1 means require one character of this type). If you haven’t figured it out by now, I prefer the latter for the sake of simplicity. If you really want to know more about the pam_cracklib credit system, check out the Length and Strength section in the Hal Pomeranz essay on this topic.

Assuming that we’re now happy with the way we have this policy configured, let’s look at how we can create a customized audit file for use with the Nessus compliance checks. Using regular expressions in the file content check, we can check the length requirement like this (remember that you may have to change the file name depending on your environment):

<custom_item>
type: FILE_CONTENT_CHECK
description: “Determine if the password minimum length is set to at least 8 characters”
file: “/etc/pam.d/system-auth”
regex: “.*pam_cracklib.so.*minlen=([1-9]|[1-9][0-9]|[1-9][0-9][0-9])”
expect: “.*pam_cracklib.so.*minlen=([8-9]|[1-9][0-9]|[1-9][0-9][0-9])”
</item>

The regex statement specifies the value we want to examine from our line of text. The expect statement says what our policy value should be — in this case any value from 8-999 passes the audit. I built the regular expressions in such a way to accommodate password settings of triple digit length for fun and the really paranoid. I didn’t want anyone with a 200 character minimum password failing the audit.

Checking the complexity settings is very similar but with even simpler RegEx:

# Verify that the password requires at least one lower case alpha character
<custom_item>
type: FILE_CONTENT_CHECK
description: “Determine if the password requires at least one lower case alpha character”
file: “/etc/pam.d/system-auth”
regex: “.*pam_cracklib.so.*lcredit=.*[0-9]”
expect: “.*pam_cracklib.so.*lcredit=-1″
</item>

# Verify that the password requires at least one upper case alpha character
<custom_item>
type: FILE_CONTENT_CHECK
description: “Determine if the password requires at least one upper case alpha character”
file: “/etc/pam.d/system-auth”
regex: “.*pam_cracklib.so.*ucredit=.*[0-9]”
expect: “.*pam_cracklib.so.*ucredit=-1″
</item>

# Verify that the password requires at least one numeric character
<custom_item>
type: FILE_CONTENT_CHECK
description: “Determine if the password requires at least one numeric character”
file: “/etc/pam.d/system-auth”
regex: “.*pam_cracklib.so.*dcredit=.*[0-9]”
expect: “.*pam_cracklib.so.*dcredit=-1″
</item>

# Verify that the password requires at least one special character
<custom_item>
type: FILE_CONTENT_CHECK
description: “Determine if the password requires at least one special character”
file: “/etc/pam.d/system-auth”
regex: “.*pam_cracklib.so.*ocredit=.*[0-9]”
expect: “.*pam_cracklib.so.*ocredit=-1″
</item>

So there you have it. Checks like these and many others will be in the Bandolier audit files and illustrate the flexibility for easy customization to your environment and policies. I hope I have simplified some of the pam_cracklib options for you and provided some good compliance check examples along the way — enjoy!

2 comments to Linux password strength, pam_cracklib, and Nessus compliance checks

  • irdeincognito

    Any suggestions on pam-passwdqc?

    Thanks in adavence.

    Regards

  • For those not familiar with it, the pam-passwdqc is an add-on package for PAM that is included in many Linux distributions now. It is a direct replacement for pam-cracklib with support for even more password strength options, but has an entirely different set of options. I can’t do it justice here in the comments but perhaps we’ll cover it in a future post.

Leave a Reply