id: weak-password-complexity

info:
  name: Linux Password Complexity Not Enforced
  author: songyaeji
  severity: high
  description: |
    The system did not enforce password complexity policies. This allowed weak passwords to be used, increasing the risk of unauthorized access through brute-force or dictionary attacks.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/
  metadata:
    verified: true
  tags: linux,audit,kisa,compliance,local

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      cat /etc/security/pwquality.conf 2>/dev/null || true

  - engine:
      - sh
      - bash
    source: |
      grep pam_pwquality.so /etc/pam.d/system-auth /etc/pam.d/common-password 2>/dev/null || true

    matchers:
      - type: regex
        part: code_1_response
        name: password-quality
        regex:
          - 'minlen\s*=\s*[0-7]'           # Password length < 8 characters
          - 'dcredit\s*=\s*0'              # No digit requirement
          - 'ucredit\s*=\s*0'              # No uppercase requirement
          - 'lcredit\s*=\s*0'              # No lowercase requirement
          - 'ocredit\s*=\s*0'              # No special character requirement
        condition: or

      - type: word
        part: code_2_response
        name: pam
        words:
          - "pam_pwquality.so"

      - type: word
        part: code_2_response
        words:
          - "enforce_for_root"
        negative: true
# digest: 4a0a0047304502205eadb4120795f68664a87a1dab81fc7689129a557e7015183bde1abbb79a45dd022100bd33c36e4f6b2b0e4451d33097cfced790ae0cb8289e7f259926e220a243b895:922c64590222798bb761d5b6d8e72950