id: weak-password-complexity

info:
  name: Linux Password Complexity Not Enforced
  author: songyaeji
  severity: high
  description: |
    The system did not enforce password complexity policies. This allowed weak passwords to be used, increasing the risk of unauthorized access through brute-force or dictionary attacks.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/
  metadata:
    verified: true
  tags: linux,local,audit,kisa,compliance,local

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      cat /etc/security/pwquality.conf 2>/dev/null || true

  - engine:
      - sh
      - bash
    source: |
      grep pam_pwquality.so /etc/pam.d/system-auth /etc/pam.d/common-password 2>/dev/null || true

    matchers:
      - type: regex
        part: code_1_response
        name: password-quality
        regex:
          - 'minlen\s*=\s*[0-7]'           # Password length < 8 characters
          - 'dcredit\s*=\s*0'              # No digit requirement
          - 'ucredit\s*=\s*0'              # No uppercase requirement
          - 'lcredit\s*=\s*0'              # No lowercase requirement
          - 'ocredit\s*=\s*0'              # No special character requirement
        condition: or

      - type: word
        part: code_2_response
        name: pam
        words:
          - "pam_pwquality.so"

      - type: word
        part: code_2_response
        words:
          - "enforce_for_root"
        negative: true
# digest: 4a0a00473045022100c590d02bcda1018fc91528e71c3697ea8aa7d605e1b2980e9c67a4f1e0ed51fb0220494670f4487078a52c1fae89b39bdca73a6055d5bae5f7049afce07cda8c6ff8:922c64590222798bb761d5b6d8e72950