code/linux/audit/weak-password-complexity.yaml

id: weak-password-complexity

info:
  name: Linux Password Complexity Not Enforced
  author: songyaeji
  severity: high
  description: |
    The system did not enforce password complexity policies. This allowed weak passwords to be used, increasing the risk of unauthorized access through brute-force or dictionary attacks.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/
  metadata:
    verified: true
  tags: linux,local,audit,kisa,compliance,local

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      cat /etc/security/pwquality.conf 2>/dev/null || true

  - engine:
      - sh
      - bash
    source: |
      grep pam_pwquality.so /etc/pam.d/system-auth /etc/pam.d/common-password 2>/dev/null || true

    matchers:
      - type: regex
        part: code_1_response
        name: password-quality
        regex:
          - 'minlen\s*=\s*[0-7]'           # Password length < 8 characters
          - 'dcredit\s*=\s*0'              # No digit requirement
          - 'ucredit\s*=\s*0'              # No uppercase requirement
          - 'lcredit\s*=\s*0'              # No lowercase requirement
          - 'ocredit\s*=\s*0'              # No special character requirement
        condition: or

      - type: word
        part: code_2_response
        name: pam
        words:
          - "pam_pwquality.so"

      - type: word
        part: code_2_response
        words:
          - "enforce_for_root"
        negative: true
# digest: 4a0a00473045022100c590d02bcda1018fc91528e71c3697ea8aa7d605e1b2980e9c67a4f1e0ed51fb0220494670f4487078a52c1fae89b39bdca73a6055d5bae5f7049afce07cda8c6ff8:922c64590222798bb761d5b6d8e72950
minor - update & directory changes 2025-08-20 17:53:58 +05:30			`id: weak-password-complexity`
creating misconfiguration directory and adding root-remote-login.yaml, password-complexity-not-enforced.yaml 2025-07-28 19:34:39 +09:00
			`info:`
			`name: Linux Password Complexity Not Enforced`
			`author: songyaeji`
			`severity: high`
minor - update & directory changes 2025-08-20 17:53:58 +05:30			`description: \|`
			`The system did not enforce password complexity policies. This allowed weak passwords to be used, increasing the risk of unauthorized access through brute-force or dictionary attacks.`
creating misconfiguration directory and adding root-remote-login.yaml, password-complexity-not-enforced.yaml 2025-07-28 19:34:39 +09:00			`reference:`
modifying root-remote-login.yaml, password-complexity-not-enforced.yaml 2025-07-30 02:23:34 +09:00			`- https://isms.kisa.or.kr/main/csap/notice/`
finally modifying 2025-07-30 03:06:52 +09:00			`metadata:`
			`verified: true`
Local tag - update 2025-08-28 23:41:32 +05:30			`tags: linux,local,audit,kisa,compliance,local`
creating misconfiguration directory and adding root-remote-login.yaml, password-complexity-not-enforced.yaml 2025-07-28 19:34:39 +09:00
			`self-contained: true`
minor - update & directory changes 2025-08-20 17:53:58 +05:30
creating misconfiguration directory and adding root-remote-login.yaml, password-complexity-not-enforced.yaml 2025-07-28 19:34:39 +09:00			`code:`
			`- engine:`
minor - update & directory changes 2025-08-20 17:53:58 +05:30			`- sh`
creating misconfiguration directory and adding root-remote-login.yaml, password-complexity-not-enforced.yaml 2025-07-28 19:34:39 +09:00			`- bash`
			`source: \|`
			`cat /etc/security/pwquality.conf 2>/dev/null \|\| true`

			`- engine:`
minor - update & directory changes 2025-08-20 17:53:58 +05:30			`- sh`
creating misconfiguration directory and adding root-remote-login.yaml, password-complexity-not-enforced.yaml 2025-07-28 19:34:39 +09:00			`- bash`
			`source: \|`
			`grep pam_pwquality.so /etc/pam.d/system-auth /etc/pam.d/common-password 2>/dev/null \|\| true`
minor - update & directory changes 2025-08-20 17:53:58 +05:30
creating misconfiguration directory and adding root-remote-login.yaml, password-complexity-not-enforced.yaml 2025-07-28 19:34:39 +09:00			`matchers:`
minor - update & directory changes 2025-08-20 17:53:58 +05:30			`- type: regex`
			`part: code_1_response`
			`name: password-quality`
			`regex:`
			`- 'minlen\s=\s[0-7]' # Password length < 8 characters`
			`- 'dcredit\s=\s0' # No digit requirement`
			`- 'ucredit\s=\s0' # No uppercase requirement`
			`- 'lcredit\s=\s0' # No lowercase requirement`
			`- 'ocredit\s=\s0' # No special character requirement`
			`condition: or`

creating misconfiguration directory and adding root-remote-login.yaml, password-complexity-not-enforced.yaml 2025-07-28 19:34:39 +09:00			`- type: word`
			`part: code_2_response`
minor - update & directory changes 2025-08-20 17:53:58 +05:30			`name: pam`
creating misconfiguration directory and adding root-remote-login.yaml, password-complexity-not-enforced.yaml 2025-07-28 19:34:39 +09:00			`words:`
			`- "pam_pwquality.so"`
minor - update & directory changes 2025-08-20 17:53:58 +05:30
finally modifying 2025-07-30 03:06:52 +09:00			`- type: word`
creating misconfiguration directory and adding root-remote-login.yaml, password-complexity-not-enforced.yaml 2025-07-28 19:34:39 +09:00			`part: code_2_response`
			`words:`
modifying root-remote-login.yaml, password-complexity-not-enforced.yaml 2025-07-30 02:23:34 +09:00			`- "enforce_for_root"`
chore: sign templates 🤖 2025-08-21 12:45:03 +00:00			`negative: true`
chore: sign templates 🤖 2025-08-29 10:06:03 +00:00			`# digest: 4a0a00473045022100c590d02bcda1018fc91528e71c3697ea8aa7d605e1b2980e9c67a4f1e0ed51fb0220494670f4487078a52c1fae89b39bdca73a6055d5bae5f7049afce07cda8c6ff8:922c64590222798bb761d5b6d8e72950`