STIGQter STIGQter: STIG Summary: Canonical Ubuntu 16.04 Security Technical Implementation Guide

Version: 1

Release: 3 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-90069r1_ruleThe Ubuntu operating system must be a vendor supported release.
SV-90071r5_ruleUbuntu vendor packaged system security patches and updates must be installed and up to date.
SV-90073r3_ruleThe Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
SV-90115r3_ruleThe Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
SV-90117r3_ruleThe Ubuntu operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.
SV-90119r2_ruleAll users must be able to directly initiate a session lock for all connection types.
SV-90121r2_ruleUbuntu operating system sessions must be automatically logged out after 15 minutes of inactivity.
SV-90123r2_ruleThe Ubuntu operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.
SV-90125r3_ruleThe Ubuntu operating system must prevent direct login into the root account.
SV-90129r3_ruleThe Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used.
SV-90131r3_ruleThe Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used.
SV-90133r3_ruleThe Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used.
SV-90135r3_ruleAll passwords must contain at least one special character.
SV-90137r3_ruleThe Ubuntu operating system must require the change of at least 8 characters when passwords are changed.
SV-90139r1_ruleThe Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
SV-90141r1_ruleThe Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
SV-90143r2_ruleThe Ubuntu operating system must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords.
SV-90145r2_ruleThe pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
SV-90149r1_ruleEmergency administrator accounts must never be automatically removed or disabled.
SV-90151r3_rulePasswords for new users must have a 24 hours/1 day minimum password lifetime restriction.
SV-90153r2_rulePasswords for new users must have a 60-day maximum password lifetime restriction.
SV-90155r2_rulePasswords must be prohibited from reuse for a minimum of five generations.
SV-90157r3_rulePasswords must have a minimum of 15-characters.
SV-90159r2_ruleThe Ubuntu operating system must not be configured to allow blank or null passwords.
SV-90161r4_ruleThe Ubuntu operating system must prevent the use of dictionary words for passwords.
SV-90163r1_ruleThe passwd command must be configured to prevent the use of dictionary words as passwords.
SV-90165r3_ruleAccount identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity.
SV-90167r3_ruleThe Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts.
SV-90169r2_ruleThe Ubuntu operating system must require users to re-authenticate for privilege escalation and changing roles.
SV-90171r1_ruleTemporary user accounts must be provisioned with an expiration time of 72 hours or less.
SV-90173r1_ruleThe Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
SV-90175r4_ruleUnattended or automatic login via the Graphical User Interface must not be allowed.
SV-90177r1_ruleThe Ubuntu operating system must display the date and time of the last successful account logon upon logon.
SV-90179r1_ruleThere must be no .shosts files on the Ubuntu operating system.
SV-90181r2_ruleThere must be no shosts.equiv files on the Ubuntu operating system.
SV-90183r2_ruleThe Ubuntu operating system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SV-90185r4_ruleUbuntu operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
SV-90187r3_ruleUbuntu operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
SV-90189r1_ruleAll persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
SV-90191r1_ruleAll public directories must be owned by root to prevent unauthorized and unintended information transferred via shared system resources.
SV-90193r3_ruleAll world-writable directories must be group-owned by root, sys, bin, or an application group.
SV-90195r3_ruleA file integrity tool must be installed to verify correct operation of all security functions in the Ubuntu operating system.
SV-90197r2_ruleThe file integrity tool must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.
SV-90199r3_ruleThe file integrity tool must be configured to verify Access Control Lists (ACLs).
SV-90201r1_ruleThe file integrity tool must be configured to verify extended attributes.
SV-90203r4_ruleThe file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered.
SV-90205r2_ruleThe Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools.
SV-90207r2_ruleAdvance package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
SV-90209r1_ruleAdvance package Tool (APT) must remove all software components after updated versions have been installed.
SV-90211r2_ruleAutomatic mounting of Universal Serial Bus (USB) mass storage driver must be disabled.
SV-90213r2_ruleFile system automounter must be disabled unless required.
SV-90215r2_rulePam_Apparmor must be configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user, change security attributes, and to confine all non-privileged users from executing functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
SV-90217r2_ruleThe Apparmor module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.
SV-90221r3_ruleThe x86 Ctrl-Alt-Delete key sequence must be disabled.
SV-90223r2_ruleDefault permissions must be defined in such a way that all authenticated users can only read and modify their own files.
SV-90225r2_ruleThe Ubuntu operating system must not have unnecessary accounts.
SV-90227r2_ruleDuplicate User IDs (UIDs) must not exist for interactive users.
SV-90229r1_ruleThe root account must be the only account having unrestricted access to the system.
SV-90231r1_ruleUser accounts with temporary passwords, must require an immediate change to a permanent password after login.
SV-90233r2_rulePluggable Authentication Module (PAM) must prohibit the use of cached authentications after one day.
SV-90235r1_ruleAll files and directories must have a valid owner.
SV-90237r1_ruleAll files and directories must have a valid group owner.
SV-90239r1_ruleAll local interactive users must have a home directory assigned in the /etc/passwd file.
SV-90241r1_ruleAll local interactive user accounts, upon creation, must be assigned a home directory.
SV-90243r1_ruleAll local interactive user home directories defined in the /etc/passwd file must exist.
SV-90245r1_ruleAll local interactive user home directories must have mode 0750 or less permissive.
SV-90247r1_ruleAll local interactive user home directories must be group-owned by the home directory owners primary group.
SV-90249r1_ruleAll local initialization files must have mode 0740 or less permissive.
SV-90251r1_ruleAll local interactive user initialization files executable search paths must contain only paths that resolve to the system default or the users home directory.
SV-90253r1_ruleLocal initialization files must not execute world-writable programs.
SV-90255r2_ruleFile systems that contain user home directories must be mounted to prevent files with the setuid and setguid bit set from being executed.
SV-90257r3_ruleFile systems that are used with removable media must be mounted to prevent files with the setuid and setguid bit set from being executed.
SV-90259r3_ruleFile systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setguid bit set from being executed.
SV-90261r2_ruleFile systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
SV-90265r1_ruleKernel core dumps must be disabled unless needed.
SV-90267r2_ruleA separate file system must be used for user home directories (such as /home or an equivalent).
SV-90269r1_ruleThe Ubuntu operating system must use a separate file system for /var.
SV-90271r1_ruleThe Ubuntu operating system must use a separate file system for the system audit data path.
SV-90273r2_ruleThe /var/log directory must be group-owned by syslog.
SV-90275r2_ruleThe /var/log directory must be owned by root.
SV-90277r3_ruleThe /var/log directory must have mode 0770 or less permissive.
SV-90279r2_ruleThe /var/log/syslog file must be group-owned by adm.
SV-90281r2_ruleThe /var/log/syslog file must be owned by syslog.
SV-90283r3_ruleThe /var/log/syslog file must have mode 0640 or less permissive.
SV-90285r2_ruleLibrary files must have mode 0755 or less permissive.
SV-90287r2_ruleLibrary files must be owned by root.
SV-90289r2_ruleLibrary files must be group-owned by root.
SV-90291r2_ruleSystem commands must have mode 0755 or less permissive.
SV-90293r2_ruleSystem commands must be owned by root.
SV-90295r2_ruleSystem commands must be group-owned by root.
SV-90297r1_ruleAudit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
SV-90301r2_ruleThe Ubuntu operating system must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
SV-90303r2_ruleThe Ubuntu operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
SV-90305r2_ruleThe System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
SV-90307r1_ruleThe System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full.
SV-90309r2_ruleThe audit system must take appropriate action when the audit storage volume is full.
SV-90311r2_ruleThe remote audit system must take appropriate action when audit storage is full.
SV-90313r1_ruleOff-loading audit records to another system must be authenticated.
SV-90315r3_ruleAudit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.
SV-90317r2_ruleAudit log directories must have a mode of 0750 or less permissive to prevent unauthorized read access.
SV-90319r2_ruleAudit logs must be owned by root to prevent unauthorized read access.
SV-90321r2_ruleAudit logs must be group-owned by root to prevent unauthorized read access.
SV-90323r2_ruleAudit log directory must be owned by root to prevent unauthorized read access.
SV-90325r2_ruleAudit log directory must be group-owned by root to prevent unauthorized read access.
SV-90327r1_ruleThe Ubuntu operating system must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
SV-90329r2_ruleThe audit log files must be owned by root.
SV-90333r2_ruleAudit tools must have a mode of 0755 or less permissive.
SV-90335r2_ruleAudit tools must be owned by root.
SV-90337r2_ruleAudit tools must be group-owned by root.
SV-90339r2_ruleThe audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.
SV-90341r4_ruleThe Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
SV-90343r4_ruleThe Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
SV-90345r4_ruleThe Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
SV-90347r4_ruleThe Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
SV-90367r4_ruleThe Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
SV-90371r5_ruleSuccessful/unsuccessful uses of the su command must generate an audit record.
SV-90373r5_ruleSuccessful/unsuccessful uses of the chfn command must generate an audit record.
SV-90375r5_ruleSuccessful/unsuccessful uses of the mount command must generate an audit record.
SV-90377r5_ruleSuccessful/unsuccessful uses of the umount command must generate an audit record.
SV-90379r5_ruleSuccessful/unsuccessful uses of the ssh-agent command must generate an audit record.
SV-90387r5_ruleSuccessful/unsuccessful uses of the ssh-keysign command must generate an audit record.
SV-90395r2_ruleThe audit system must be configured to audit any usage of the kmod command.
SV-90397r3_ruleThe audit system must be configured to audit any usage of the setxattr system call.
SV-90399r3_ruleThe audit system must be configured to audit any usage of the lsetxattr system call.
SV-90401r3_ruleThe audit system must be configured to audit any usage of the fsetxattr system call.
SV-90403r3_ruleThe audit system must be configured to audit any usage of the removexattr system call.
SV-90405r3_ruleThe audit system must be configured to audit any usage of the lremovexattr system call.
SV-90407r4_ruleThe audit system must be configured to audit any usage of the fremovexattr system call.
SV-90409r4_ruleSuccessful/unsuccessful uses of the chown command must generate an audit record.
SV-90411r4_ruleSuccessful/unsuccessful uses of the fchown command must generate an audit record.
SV-90413r4_ruleSuccessful/unsuccessful uses of the fchownat command must generate an audit record.
SV-90415r4_ruleSuccessful/unsuccessful uses of the lchown command must generate an audit record.
SV-90417r3_ruleSuccessful/unsuccessful uses of the chmod command must generate an audit record.
SV-90419r3_ruleSuccessful/unsuccessful uses of the fchmod command must generate an audit record.
SV-90421r4_ruleSuccessful/unsuccessful uses of the fchmodat command must generate an audit record.
SV-90423r4_ruleSuccessful/unsuccessful uses of the open command must generate an audit record.
SV-90425r4_ruleSuccessful/unsuccessful uses of the truncate command must generate an audit record.
SV-90427r4_ruleSuccessful/unsuccessful uses of the ftruncate command must generate an audit record.
SV-90429r4_ruleSuccessful/unsuccessful uses of the creat command must generate an audit record.
SV-90431r4_ruleSuccessful/unsuccessful uses of the openat command must generate an audit record.
SV-90433r4_ruleSuccessful/unsuccessful uses of the open_by_handle_at command must generate an audit record.
SV-90435r5_ruleSuccessful/unsuccessful uses of the sudo command must generate an audit record.
SV-90439r5_ruleSuccessful/unsuccessful uses of the chsh command must generate an audit record.
SV-90441r6_ruleSuccessful/unsuccessful uses of the newgrp command must generate an audit record.
SV-90445r5_ruleSuccessful/unsuccessful uses of the apparmor_parser command must generate an audit record.
SV-90447r5_ruleSuccessful/unsuccessful uses of the setfacl command must generate an audit record.
SV-90449r5_ruleSuccessful/unsuccessful uses of the chacl command must generate an audit record.
SV-90451r3_ruleSuccessful/unsuccessful modifications to the tallylog file must generate an audit record.
SV-90453r3_ruleSuccessful/unsuccessful modifications to the faillog file must generate an audit record.
SV-90455r3_ruleSuccessful/unsuccessful modifications to the lastlog file must generate an audit record.
SV-90457r5_ruleSuccessful/unsuccessful uses of the passwd command must generate an audit record.
SV-90459r3_ruleSuccessful/unsuccessful uses of the unix_update command must generate an audit record.
SV-90461r5_ruleSuccessful/unsuccessful uses of the gpasswd command must generate an audit record.
SV-90463r5_ruleSuccessful/unsuccessful uses of the chage command must generate an audit record.
SV-90465r5_ruleSuccessful/unsuccessful uses of the usermod command must generate an audit record.
SV-90467r5_ruleSuccessful/unsuccessful uses of the crontab command must generate an audit record.
SV-90469r5_ruleSuccessful/unsuccessful uses of the pam_timestamp_check command must generate an audit record.
SV-90471r4_ruleSuccessful/unsuccessful uses of the init_module command must generate an audit record.
SV-90473r4_ruleSuccessful/unsuccessful uses of the finit_module command must generate an audit record.
SV-90475r4_ruleSuccessful/unsuccessful uses of the delete_module command must generate an audit record.
SV-90477r3_ruleThe telnetd package must not be installed.
SV-90479r2_ruleThe Network Information Service (NIS) package must not be installed.
SV-90481r2_ruleThe rsh-server package must not be installed.
SV-90483r2_ruleAn application firewall must be installed.
SV-90485r2_ruleAn application firewall must be enabled on the system.
SV-90487r2_ruleAn application firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
SV-90489r2_ruleThe Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
SV-90491r4_ruleA sticky bit must be set on all public directories to prevent unauthorized and unintended information transferred via shared system resources.
SV-90493r2_ruleThe Ubuntu operating system must compare internal information system clocks at least every 24 hours with a server which is synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
SV-90495r2_ruleThe Ubuntu operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
SV-90497r2_ruleThe Ubuntu operating system must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SV-90499r2_ruleThe Ubuntu operating system must implement non-executable data to protect its memory from unauthorized code execution.
SV-90501r2_ruleThe Ubuntu operating system must implement address space layout randomization to protect its memory from unauthorized code execution.
SV-90503r1_ruleThe Ubuntu operating system must enforce SSHv2 for network access to all accounts.
SV-90505r5_ruleThe Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon and the user must acknowledge the usage conditions and take explicit actions to log on for further access.
SV-90507r2_ruleThe Ubuntu operating system must not permit direct logons to the root account using remote access via SSH.
SV-90509r3_ruleThe Ubuntu operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
SV-90511r2_ruleThe SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-90513r3_ruleThe Ubuntu operating system must be configured so that the SSH daemon does not allow authentication using an empty password.
SV-90515r2_ruleThe system must display the date and time of the last successful account logon upon an SSH logon.
SV-90517r3_ruleThe Ubuntu operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
SV-90521r2_ruleThe SSH daemon must not allow authentication using known hosts authentication.
SV-90523r2_ruleThe SSH public host key files must have mode 0644 or less permissive.
SV-90525r2_ruleThe SSH private host key files must have mode 0600 or less permissive.
SV-90527r2_ruleThe SSH daemon must perform strict mode checking of home directory configuration files.
SV-90529r2_ruleThe SSH daemon must use privilege separation.
SV-90531r2_ruleThe SSH daemon must not allow compression or must only allow compression after successful authentication.
SV-90533r2_ruleRemote X connections for interactive users must be encrypted.
SV-90535r1_ruleAn application firewall must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the Ubuntu operating system is implementing rate-limiting measures on impacted network interfaces.
SV-90537r1_ruleAll networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
SV-90539r2_ruleThe audit system must take appropriate action when the network cannot be used to off-load audit records.
SV-90543r2_ruleAll remote access methods must be monitored.
SV-90545r2_ruleCron logging must be implemented.
SV-90547r1_ruleWireless network adapters must be disabled.
SV-90549r2_ruleThe Ubuntu operating system must be configured to use TCP syncookies.
SV-90551r2_ruleFor Ubuntu operating systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
SV-90553r3_ruleThe Ubuntu operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
SV-90555r3_ruleThe Ubuntu operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
SV-90557r2_ruleThe Ubuntu operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
SV-90559r3_ruleThe Ubuntu operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SV-90561r2_ruleThe Ubuntu operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
SV-90563r2_ruleThe Ubuntu operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
SV-90565r2_ruleThe Ubuntu operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
SV-90567r2_ruleThe Ubuntu operating system must not be performing packet forwarding unless the system is a router.
SV-90569r2_ruleNetwork interfaces must not be in promiscuous mode.
SV-90571r2_ruleThe Ubuntu operating system must be configured to prevent unrestricted mail relaying.
SV-90573r2_ruleThe Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.
SV-90575r2_ruleA File Transfer Protocol (FTP) server package must not be installed unless needed.
SV-90577r3_ruleThe Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support.
SV-90579r1_ruleIf the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.
SV-90581r1_ruleAn X Windows display manager must not be installed unless approved.
SV-90583r1_ruleThe Ubuntu operating system must have the packages required for multifactor authentication to be installed.
SV-90585r1_ruleThe Ubuntu operating system must accept Personal Identity Verification (PIV) credentials.
SV-90587r2_ruleThe Ubuntu operating system must implement certificate status checking for multifactor authentication.
SV-90589r2_ruleThe Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
SV-90591r1_ruleThe Ubuntu operating system must implement smart card logins for multifactor authentication for access to accounts.
SV-92701r1_ruleThe system must use a DoD-approved virus scan program.
SV-92703r1_ruleThe system must update the DoD-approved virus scan program every seven days or more frequently.
SV-95669r2_ruleThe x86 Ctrl-Alt-Delete key sequence in the Ubuntu operating system must be disabled if a Graphical User Interface is installed.
SV-95671r1_ruleThe auditd service must be running in the Ubuntu operating system.
SV-95673r1_ruleThe Ubuntu operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
SV-95677r1_ruleThe audit records must be off-loaded onto a different system or storage media from the system being audited.
SV-95681r3_ruleSuccessful/unsuccessful uses of the chcon command must generate an audit record.
SV-101015r1_ruleThe audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
SV-108093r1_ruleThe Ubuntu operating system must not allow users to override SSH environment variables.
SV-108113r1_ruleThe Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.