UBUNTU24-CIS-Audit/section_5/cis_5.3.3.2/cis_5.3.3.2.7.yml

---

{{ if .Vars.ubtu24cis_level_1 }}
  {{ if .Vars.ubtu24cis_rule_5_3_3_2_7 }}
command:
  password_quality_enforce:
    title: 5.3.3.2.7 | Ensure password quality checking is enforced
    exec: grep -Psi -- '^\h*enforcing\s*=\s*' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
    exit-status:
      or:
      - 0
      - 1
    stdout:
    - '/.*\:enforcing\s*=\s*1/'
    - '!/.*\:enforcing\s*=\s*0/'
    meta:
      server: 1
      workstation: 1
      CIS_ID:
      - 5.3.3.2.7
      CISv8:
      - 5.2
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
      NIST800-53R5: IA-5
  quality_enforce_not_pamd:
    title: 5.3.3.2.7 | Ensure password quality checking is enforced
    exec: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?enforcing=0\b' /etc/pam.d/common-password
    exit-status:
      or:
      - 0
      - 1
    stdout:
    - '!/.*/'
    meta:
      server: 1
      workstation: 1
      CIS_ID:
      - 5.3.3.2.7
      CISv8:
      - 5.2
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
      NIST800-53R5: IA-5
  {{ end }}
{{ end }}