using policy compliance module, can I audit password length and complexity? I know that it checks for the here under:
Yes, there are a broad number of password complexity checks. CID's vary depending on target technology type, you can search using keyword "password" and select the technologies you are interested in. Here are just a few samples related to password complexity/management for Redhat Enterprise Linux 7.x:
Status of the 'Minimum Password Length' setting
Status of the 'Minimum Password Age' setting
Status of the 'Maximum Password Age' setting (expiration) / Accounts having the 'password never expires' flag set
Status of the number of days before a [Prompt user] password expiration warning prompt is displayed at login
Current list of 'Accounts having empty password fields'
Status of the 'Account lockout threshold' setting for invalid login attempts
Status of the 'time interval' (SLEEPTIME) setting for displaying an error message after failed login attempts (in seconds)
Status of the 'MaxAuthTries' setting in the 'sshd_config' file
Status of the 'PermitEmptyPasswords' setting in the 'sshd_config' file
Status of the 'HostBasedAuthentication' setting in '/etc/ssh/sshd_config'
Status of the password history setting (remember)
Current list of 'hashing algorithms' used for passwords
Thanks alot Tim, much appreciated. What about password complexity, I do not see that in this list?
I believe this is the one you're looking for
CID 1092 : Status of the 'Password Complexity Requirements' setting
Many thank Ian, this is perfect !!
Retrieving data ...