The system must require passwords contain no more than three consecutive repeating characters.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-11975	GEN000680	SV-44877r1_rule		Medium

Description
To enforce the use of complex passwords, the number of consecutive repeating characters is limited. Passwords with excessive repeated characters may be more vulnerable to password-guessing attacks.

STIG	Date
SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide	2018-09-19

Details

Check Text ( C-42332r5_chk )
Check the system password maxrepeat setting. Procedure: Check the password maxrepeat option # grep pam_cracklib.so /etc/pam.d/common-password Confirm the maxrepeat option is set to 3 or less as in the example below: password required pam_cracklib.so maxrepeat=3 There may be other options on the line. If no such line is found, or the maxrepeat option is more than 3 this is a finding. A setting of zero disables this option. NOTE: This option was not available in SLES 11 until service pack 2(SP2).

Check Text ( C-42332r5_chk )

Check the system password maxrepeat setting.

Procedure:
Check the password maxrepeat option
# grep pam_cracklib.so /etc/pam.d/common-password

Confirm the maxrepeat option is set to 3 or less as in the example below:

password required pam_cracklib.so maxrepeat=3

There may be other options on the line. If no such line is found, or the maxrepeat option is more than 3 this is a finding. A setting of zero disables this option.

NOTE: This option was not available in SLES 11 until service pack 2(SP2).

Fix Text (F-38310r2_fix)
Edit /etc/pam.d/common-password and set the maxrepeat option to a value of 3 or less on the pam_cracklib line.