NixOS must enable the use of pwquality.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268170 | ANIX-00-001861 | SV-268170r1039398_rule | CCI-000366 | medium |
| Description | ||||
| If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks. | ||||
| STIG | Date | |||
| Anduril NixOS Security Technical Implementation Guide | 2024-10-25 | |||
Details
Check Text (C-268170r1039398_chk)
Verify NixOS prevents the use of dictionary words for passwords with the following command:
$ grep -i pam_pwquality /etc/pam.d/passwd /etc/pam.d/chpasswd /etc/pam.d/sudo
/etc/pam.d/passwd:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so
/etc/pam.d/chpasswd:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so
/etc/pam.d/sudo:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so
If the pam_pwquality.so module is not present in the passwd, chpasswd, and sudo pam files, this is a finding.
Fix Text (F-71997r1039397_fix)
Configure NixOS to check password change attempts against a dictionary.
Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix
security.pam.services.passwd.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so");
security.pam.services.chpasswd.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so");
security.pam.services.sudo.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so");
Rebuild the system with the following command:
$ sudo nixos-rebuild switch