From 2df02e3988525eee8360db1e829655a761adb461 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 19 Oct 2020 17:25:05 +0200
Subject: [PATCH 1/2] var pam unix remember, add selector

Add selector "2" to var_password_pam_unix_remember.
---
 .../accounts/accounts-pam/var_password_pam_unix_remember.var     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
index f533a36963..6e7abb3b78 100644
--- a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
+++ b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
@@ -18,6 +18,7 @@ options:
     "0": "0"
     10: 10
     24: 24
+    2: 2
     4: 4
     5: 5
     default: 5

From 5503605d2f9e56b07686a9f1f2f3f8418e61b8cb Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 19 Oct 2020 17:29:47 +0200
Subject: [PATCH 2/2] Select rules for password strenght management

Rule selection is based on ANSSI DAT-NT-001
---
 controls/anssi.yml                            | 45 ++++++++++++++++++-
 .../var_password_pam_minlen.var               |  2 +
 ...ar_accounts_password_minlen_login_defs.var |  2 +
 3 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/controls/anssi.yml b/controls/anssi.yml
index 26bc7f4694..3ccd0f8cb3 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -281,7 +281,50 @@ controls:
   - id: R18
     level: minimal
     title: Administrator password robustness
-    # rules: TBD
+    notes: >-
+      The rules selected below establish a general password strength baseline of 100 bits,
+      inspired by DAT-NT-001 and the "Password Strenght Calculator"
+      (https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/).
+
+      The baseline should be reviewed and tailored to the system's use case and needs.
+    automated: partially
+    rules:
+    # Renew passwords every 90 days
+    - var_accounts_maximum_age_login_defs=90
+    - accounts_maximum_age_login_defs
+
+    # Ensure passwords with minimum of 18 characters
+    - var_password_pam_minlen=18
+    - accounts_password_pam_minlen
+    # Enforce password lenght for new accounts
+    - var_accounts_password_minlen_login_defs=18
+    - accounts_password_minlen_login_defs
+    # Require at Least 1 Special Character in Password
+    - var_password_pam_ocredit=1
+    - accounts_password_pam_ocredit
+    # Require at Least 1 Numeric Character in Password
+    - var_password_pam_dcredit=1
+    - accounts_password_pam_dcredit
+    # Require at Least 1 Uppercase Character in Password
+    - var_password_pam_ucredit=1
+    - accounts_password_pam_ucredit
+    # Require at Least 1 Lowercase Character in Password
+    - var_password_pam_lcredit=1
+    - accounts_password_pam_lcredit
+
+    # Lock out users after 3 failed authentication attempts within 15 min
+    - var_accounts_passwords_pam_faillock_fail_interval=900
+    - accounts_passwords_pam_faillock_interval
+    - var_accounts_passwords_pam_faillock_deny=3
+    - accounts_passwords_pam_faillock_deny
+    - accounts_passwords_pam_faillock_deny_root
+    # Automatically unlock users after 15 min to prevent DoS
+    - var_accounts_passwords_pam_faillock_unlock_time=900
+    - accounts_passwords_pam_faillock_unlock_time
+
+    # Do not reuse last two passwords
+    - var_password_pam_unix_remember=2
+    - accounts_password_pam_unix_remember
 
   - id: R19
     level: intermediary
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
index f506a090bb..873d907ab9 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
@@ -15,6 +15,8 @@ options:
     12: 12
     14: 14
     15: 15
+    18: 18
+    20: 20
     6: 6
     7: 7
     8: 8
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
index f41ff432ec..662c53b076 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
@@ -13,6 +13,8 @@ options:
     12: 12
     14: 14
     15: 15
+    18: 18
+    20: 20
     6: 6
     8: 8
     default: 15