From 2df02e3988525eee8360db1e829655a761adb461 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 19 Oct 2020 17:25:05 +0200
Subject: [PATCH 1/2] var pam unix remember, add selector
Add selector "2" to var_password_pam_unix_remember.
---
.../accounts/accounts-pam/var_password_pam_unix_remember.var | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
index f533a36963..6e7abb3b78 100644
--- a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
+++ b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
@@ -18,6 +18,7 @@ options:
"0": "0"
10: 10
24: 24
+ 2: 2
4: 4
5: 5
default: 5
From 5503605d2f9e56b07686a9f1f2f3f8418e61b8cb Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 19 Oct 2020 17:29:47 +0200
Subject: [PATCH 2/2] Select rules for password strenght management
Rule selection is based on ANSSI DAT-NT-001
---
controls/anssi.yml | 45 ++++++++++++++++++-
.../var_password_pam_minlen.var | 2 +
...ar_accounts_password_minlen_login_defs.var | 2 +
3 files changed, 48 insertions(+), 1 deletion(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 26bc7f4694..3ccd0f8cb3 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -281,7 +281,50 @@ controls:
- id: R18
level: minimal
title: Administrator password robustness
- # rules: TBD
+ notes: >-
+ The rules selected below establish a general password strength baseline of 100 bits,
+ inspired by DAT-NT-001 and the "Password Strenght Calculator"
+ (https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/).
+
+ The baseline should be reviewed and tailored to the system's use case and needs.
+ automated: partially
+ rules:
+ # Renew passwords every 90 days
+ - var_accounts_maximum_age_login_defs=90
+ - accounts_maximum_age_login_defs
+
+ # Ensure passwords with minimum of 18 characters
+ - var_password_pam_minlen=18
+ - accounts_password_pam_minlen
+ # Enforce password lenght for new accounts
+ - var_accounts_password_minlen_login_defs=18
+ - accounts_password_minlen_login_defs
+ # Require at Least 1 Special Character in Password
+ - var_password_pam_ocredit=1
+ - accounts_password_pam_ocredit
+ # Require at Least 1 Numeric Character in Password
+ - var_password_pam_dcredit=1
+ - accounts_password_pam_dcredit
+ # Require at Least 1 Uppercase Character in Password
+ - var_password_pam_ucredit=1
+ - accounts_password_pam_ucredit
+ # Require at Least 1 Lowercase Character in Password
+ - var_password_pam_lcredit=1
+ - accounts_password_pam_lcredit
+
+ # Lock out users after 3 failed authentication attempts within 15 min
+ - var_accounts_passwords_pam_faillock_fail_interval=900
+ - accounts_passwords_pam_faillock_interval
+ - var_accounts_passwords_pam_faillock_deny=3
+ - accounts_passwords_pam_faillock_deny
+ - accounts_passwords_pam_faillock_deny_root
+ # Automatically unlock users after 15 min to prevent DoS
+ - var_accounts_passwords_pam_faillock_unlock_time=900
+ - accounts_passwords_pam_faillock_unlock_time
+
+ # Do not reuse last two passwords
+ - var_password_pam_unix_remember=2
+ - accounts_password_pam_unix_remember
- id: R19
level: intermediary
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
index f506a090bb..873d907ab9 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
@@ -15,6 +15,8 @@ options:
12: 12
14: 14
15: 15
+ 18: 18
+ 20: 20
6: 6
7: 7
8: 8
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
index f41ff432ec..662c53b076 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
@@ -13,6 +13,8 @@ options:
12: 12
14: 14
15: 15
+ 18: 18
+ 20: 20
6: 6
8: 8
default: 15