feat: implement CIS Debian Benchmark hardening controls

- Add kernel hardening via sysctl (network, system, ARP hardening) - Implement password quality requirements (14 char, complexity) - Configure password aging policies (90 day max) - Add PAM authentication hardening with faillock - Implement sudo restrictions and least privilege CIS Benchmark Controls Implemented: - Section 1: Filesystem Permissions - Section 3: Network Parameters - Section 4: Logging and Auditing - Section 5: Access Control Security Features: - Kernel parameter hardening (randomization, core dumps) - Strong password policies (complexity, aging, lockout) - Sudo access logging and restrictions - Authentication failure account lockout Compliance: - CIS Debian 13 Benchmark: Section 1, 3, 4, 5 - CMMC Level 3: AC, IA, CM domains - FedRAMP Moderate: AC, IA, CM controls 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 12:33:11 -05:00
parent 336089a1c5
commit 1d74ae7ff1
5 changed files with 297 additions and 0 deletions
--- a/chroot-overlay/etc/login.defs
+++ b/chroot-overlay/etc/login.defs
@@ -0,0 +1,65 @@
+# CIS Benchmark Login Configuration
+# Implements CIS Debian Benchmark Section 5.4.2
+
+# ============================================================================
+# Password Aging
+# ============================================================================
+
+# Maximum password age (days)
+PASS_MAX_DAYS 90
+
+# Minimum password age (days)
+PASS_MIN_DAYS 1
+
+# Password warning period (days)
+PASS_WARN_AGE 7
+
+# ============================================================================
+# Login Settings
+# ============================================================================
+
+# Number of failed logins before account lock
+FAILLOG_ENAB yes
+
+# Maximum number of login retries
+LOGIN_RETRIES 5
+
+# Delay in seconds before next login after failure
+LOGIN_TIMEOUT 60
+
+# Enable lastlog
+LASTLOG_ENAB yes
+
+# ============================================================================
+# UID/GID Settings
+# ============================================================================
+
+# System user range
+SYS_UID_MIN 100
+SYS_UID_MAX 999
+SYS_GID_MIN 100
+SYS_GID_MAX 999
+
+# ============================================================================
+# Home Directory
+# ============================================================================
+
+# Create home directory if it doesn't exist
+CREATE_HOME yes
+
+# Default umask
+UMASK 077
+
+# ============================================================================
+# Other Security Settings
+# ============================================================================
+
+# Enable logging
+LOG_UNKFAIL_ENAB yes
+LOG_OK_LOGINS yes
+
+# Silence last login message
+HUSHLOGIN_FILE .hushlogin
+
+# Use SHA512 for password hashes
+ENCRYPT_METHOD SHA512