NixOS must enable the use of pwquality.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268170 | ANIX-00-001861 | SV-268170r1039398_rule | Medium |
| Description |
| If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks. |
| STIG | Date |
| Anduril NixOS Security Technical Implementation Guide | 2024-10-25 |
Details
| Check Text (C-72094r1039396_chk) |
| Verify NixOS prevents the use of dictionary words for passwords with the following command: $ grep -i pam_pwquality /etc/pam.d/passwd /etc/pam.d/chpasswd /etc/pam.d/sudo /etc/pam.d/passwd:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so /etc/pam.d/chpasswd:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so /etc/pam.d/sudo:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so If the pam_pwquality.so module is not present in the passwd, chpasswd, and sudo pam files, this is a finding. |
| Fix Text (F-71997r1039397_fix) |
| Configure NixOS to check password change attempts against a dictionary. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix security.pam.services.passwd.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so"); security.pam.services.chpasswd.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so"); security.pam.services.sudo.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so"); Rebuild the system with the following command: $ sudo nixos-rebuild switch |