Configure authentication rules with PAM

You can use a pluggable authentication module (PAM) to set authentication rules. To configure PAM settings, specify control values in Hiera.

For example, assume that you want to enforce a minimum length of 30 characters for passwords. Because you are implementing the CIS Oracle Linux 8 Benchmark 2.0.0, you go to the Reference and look for the relevant control in that benchmark. The control is 5.5.1, “Ensure password creation requirements are configured,” which specifies a default minimum password length of 14. On the minlen parameter, you replace the default value of 14 with a new value of 30, as shown in the example:

Copy
sce_linux::config: 
control_configs: 
  "Ensure password creation requirements are configured": 
      manage_pwquality: true 
      manage_pam_auth: true 
      minlen: 30 
      minclass: 4 
      faillock_args: ["preauth", "silent", "audit", "deny=5", "unlock_time=900"] 
      pwhistory_args: ["use_authtok", "remember=5", "retry=3"]