118 lines
4.8 KiB
Diff
118 lines
4.8 KiB
Diff
From 2df02e3988525eee8360db1e829655a761adb461 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Mon, 19 Oct 2020 17:25:05 +0200
|
|
Subject: [PATCH 1/2] var pam unix remember, add selector
|
|
|
|
Add selector "2" to var_password_pam_unix_remember.
|
|
---
|
|
.../accounts/accounts-pam/var_password_pam_unix_remember.var | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
|
|
index f533a36963..6e7abb3b78 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
|
|
+++ b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
|
|
@@ -18,6 +18,7 @@ options:
|
|
"0": "0"
|
|
10: 10
|
|
24: 24
|
|
+ 2: 2
|
|
4: 4
|
|
5: 5
|
|
default: 5
|
|
|
|
From 5503605d2f9e56b07686a9f1f2f3f8418e61b8cb Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Mon, 19 Oct 2020 17:29:47 +0200
|
|
Subject: [PATCH 2/2] Select rules for password strenght management
|
|
|
|
Rule selection is based on ANSSI DAT-NT-001
|
|
---
|
|
controls/anssi.yml | 45 ++++++++++++++++++-
|
|
.../var_password_pam_minlen.var | 2 +
|
|
...ar_accounts_password_minlen_login_defs.var | 2 +
|
|
3 files changed, 48 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
|
index 26bc7f4694..3ccd0f8cb3 100644
|
|
--- a/controls/anssi.yml
|
|
+++ b/controls/anssi.yml
|
|
@@ -281,7 +281,50 @@ controls:
|
|
- id: R18
|
|
level: minimal
|
|
title: Administrator password robustness
|
|
- # rules: TBD
|
|
+ notes: >-
|
|
+ The rules selected below establish a general password strength baseline of 100 bits,
|
|
+ inspired by DAT-NT-001 and the "Password Strenght Calculator"
|
|
+ (https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/).
|
|
+
|
|
+ The baseline should be reviewed and tailored to the system's use case and needs.
|
|
+ automated: partially
|
|
+ rules:
|
|
+ # Renew passwords every 90 days
|
|
+ - var_accounts_maximum_age_login_defs=90
|
|
+ - accounts_maximum_age_login_defs
|
|
+
|
|
+ # Ensure passwords with minimum of 18 characters
|
|
+ - var_password_pam_minlen=18
|
|
+ - accounts_password_pam_minlen
|
|
+ # Enforce password lenght for new accounts
|
|
+ - var_accounts_password_minlen_login_defs=18
|
|
+ - accounts_password_minlen_login_defs
|
|
+ # Require at Least 1 Special Character in Password
|
|
+ - var_password_pam_ocredit=1
|
|
+ - accounts_password_pam_ocredit
|
|
+ # Require at Least 1 Numeric Character in Password
|
|
+ - var_password_pam_dcredit=1
|
|
+ - accounts_password_pam_dcredit
|
|
+ # Require at Least 1 Uppercase Character in Password
|
|
+ - var_password_pam_ucredit=1
|
|
+ - accounts_password_pam_ucredit
|
|
+ # Require at Least 1 Lowercase Character in Password
|
|
+ - var_password_pam_lcredit=1
|
|
+ - accounts_password_pam_lcredit
|
|
+
|
|
+ # Lock out users after 3 failed authentication attempts within 15 min
|
|
+ - var_accounts_passwords_pam_faillock_fail_interval=900
|
|
+ - accounts_passwords_pam_faillock_interval
|
|
+ - var_accounts_passwords_pam_faillock_deny=3
|
|
+ - accounts_passwords_pam_faillock_deny
|
|
+ - accounts_passwords_pam_faillock_deny_root
|
|
+ # Automatically unlock users after 15 min to prevent DoS
|
|
+ - var_accounts_passwords_pam_faillock_unlock_time=900
|
|
+ - accounts_passwords_pam_faillock_unlock_time
|
|
+
|
|
+ # Do not reuse last two passwords
|
|
+ - var_password_pam_unix_remember=2
|
|
+ - accounts_password_pam_unix_remember
|
|
|
|
- id: R19
|
|
level: intermediary
|
|
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
|
|
index f506a090bb..873d907ab9 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
|
|
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
|
|
@@ -15,6 +15,8 @@ options:
|
|
12: 12
|
|
14: 14
|
|
15: 15
|
|
+ 18: 18
|
|
+ 20: 20
|
|
6: 6
|
|
7: 7
|
|
8: 8
|
|
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
|
|
index f41ff432ec..662c53b076 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
|
|
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
|
|
@@ -13,6 +13,8 @@ options:
|
|
12: 12
|
|
14: 14
|
|
15: 15
|
|
+ 18: 18
|
|
+ 20: 20
|
|
6: 6
|
|
8: 8
|
|
default: 15
|