From 2df02e3988525eee8360db1e829655a761adb461 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 19 Oct 2020 17:25:05 +0200 Subject: [PATCH 1/2] var pam unix remember, add selector Add selector "2" to var_password_pam_unix_remember. --- .../accounts/accounts-pam/var_password_pam_unix_remember.var | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var index f533a36963..6e7abb3b78 100644 --- a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var +++ b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var @@ -18,6 +18,7 @@ options: "0": "0" 10: 10 24: 24 + 2: 2 4: 4 5: 5 default: 5 From 5503605d2f9e56b07686a9f1f2f3f8418e61b8cb Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 19 Oct 2020 17:29:47 +0200 Subject: [PATCH 2/2] Select rules for password strenght management Rule selection is based on ANSSI DAT-NT-001 --- controls/anssi.yml | 45 ++++++++++++++++++- .../var_password_pam_minlen.var | 2 + ...ar_accounts_password_minlen_login_defs.var | 2 + 3 files changed, 48 insertions(+), 1 deletion(-) diff --git a/controls/anssi.yml b/controls/anssi.yml index 26bc7f4694..3ccd0f8cb3 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -281,7 +281,50 @@ controls: - id: R18 level: minimal title: Administrator password robustness - # rules: TBD + notes: >- + The rules selected below establish a general password strength baseline of 100 bits, + inspired by DAT-NT-001 and the "Password Strenght Calculator" + (https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/). + + The baseline should be reviewed and tailored to the system's use case and needs. + automated: partially + rules: + # Renew passwords every 90 days + - var_accounts_maximum_age_login_defs=90 + - accounts_maximum_age_login_defs + + # Ensure passwords with minimum of 18 characters + - var_password_pam_minlen=18 + - accounts_password_pam_minlen + # Enforce password lenght for new accounts + - var_accounts_password_minlen_login_defs=18 + - accounts_password_minlen_login_defs + # Require at Least 1 Special Character in Password + - var_password_pam_ocredit=1 + - accounts_password_pam_ocredit + # Require at Least 1 Numeric Character in Password + - var_password_pam_dcredit=1 + - accounts_password_pam_dcredit + # Require at Least 1 Uppercase Character in Password + - var_password_pam_ucredit=1 + - accounts_password_pam_ucredit + # Require at Least 1 Lowercase Character in Password + - var_password_pam_lcredit=1 + - accounts_password_pam_lcredit + + # Lock out users after 3 failed authentication attempts within 15 min + - var_accounts_passwords_pam_faillock_fail_interval=900 + - accounts_passwords_pam_faillock_interval + - var_accounts_passwords_pam_faillock_deny=3 + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + # Automatically unlock users after 15 min to prevent DoS + - var_accounts_passwords_pam_faillock_unlock_time=900 + - accounts_passwords_pam_faillock_unlock_time + + # Do not reuse last two passwords + - var_password_pam_unix_remember=2 + - accounts_password_pam_unix_remember - id: R19 level: intermediary diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var index f506a090bb..873d907ab9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var @@ -15,6 +15,8 @@ options: 12: 12 14: 14 15: 15 + 18: 18 + 20: 20 6: 6 7: 7 8: 8 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var index f41ff432ec..662c53b076 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var @@ -13,6 +13,8 @@ options: 12: 12 14: 14 15: 15 + 18: 18 + 20: 20 6: 6 8: 8 default: 15