progress snapshot

config/common-password-cis

@@ -0,0 +1,70 @@
+# CIS Debian 13 Benchmark - PAM Password Configuration
+# Implements CIS recommendations for password security
+
+# Password quality enforcement using pwquality
+password    requisite    pam_pwquality.so try_first_pass retry=3 authtok_type=
+password    [success=1 default=ignore]  pam_unix.so obscure sha512 rounds=5000 use_authtok
+password    sufficient    pam_unix.so sha512 rounds=5000 nullok secure try_first_pass use_authtok
+password    required    pam_deny.so
+
+# Account configuration
+account    required    pam_unix.so
+account    sufficient    pam_localuser.so
+account    sufficient    pam_succeed_if.so uid < 1000 quiet
+account    required    pam_permit.so
+
+# Authentication configuration
+auth    required    pam_env.so
+auth    required    pam_faillock.so preauth audit silent deny=5 unlock_time=900
+auth    [success=1 default=bad]    pam_unix.so nullok try_first_pass
+auth    [default=die]    pam_faillock.so authfail audit deny=5 unlock_time=900
+auth    sufficient    pam_faillock.so authsucc audit deny=5 unlock_time=900
+auth    required    pam_permit.so
+
+# Session configuration
+session    required    pam_limits.so
+session    required    pam_unix.so
+session    optional    pam_lastlog.so
+session    optional    pam_motd.so
+session    optional    pam_mail.so standard
+session    required    pam_env.so
+
+# Password history - prevent reuse of last 5 passwords
+password    required    pam_pwhistory.so remember=5 use_authtok
+
+# Session management for X11
+session    optional    pam_ck_connector.so nox11
+session    optional    pam_systemd.so
+
+# Home directory creation (if needed)
+session    required    pam_mkhomedir.so skel=/etc/skel/ umask=077
+
+# Security modules
+session    optional    pam_umask.so umask=077
+session    optional    pam_keyinit.so revoke
+
+# Enhanced account lockout configuration
+auth    required    pam_faillock.so preauth silent audit deny=5 unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=900
+auth    sufficient    pam_unix.so nullok try_first_pass
+auth    [default=die]    pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=900
+auth    sufficient    pam_faillock.so authsucc audit deny=5 unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=900
+auth    required    pam_permit.so
+
+# Prevent empty passwords
+password    required    pam_unix.so nullok sha512 shadow try_first_pass use_authtok
+
+# Session restrictions
+session    required    pam_limits.so
+session    required    pam_unix.so
+session    required    pam_lastlog.so showfailed
+session    required    pam_env.so readenv=1
+
+# Additional security configurations
+account    required    pam_access.so accessfile=/etc/security/access.conf
+auth    required    pam_wheel.so trust use_uid
+auth    optional    pam_cap.so
+
+# Enhanced logging
+auth    optional    pam_echo.so Football Secure Access System Authentication
+password    optional    pam_echo.so Password complexity requirements enforced
+session    optional    pam_echo.so Session monitoring enabled