feat: enhance password complexity requirements to NIST SP 800-63B

Enforce 14+ character minimum, require all character classes (uppercase, lowercase, digit, special), prevent common patterns, check against dictionary and bad words, and apply to all users including root. 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-29 10:00:07 -05:00
parent 2ab8040bdf
commit ad23d12eda
1 changed files with 31 additions and 9 deletions
--- a/src/security-hardening.sh
+++ b/src/security-hardening.sh
@@ -61,19 +61,41 @@ configure_password_policy() {
  local output_file="${1:-/etc/security/pwquality.conf}"

  cat >"$output_file" <<'EOF'
-# Password quality requirements
+# KNEL-Football Password Quality Requirements (MANDATORY for tier0 security)
+# Reference: NIST SP 800-63B, CIS Benchmarks for Debian
+# All passwords/passphrases must meet these strict requirements
+
+# Minimum length: 14 characters (strongly recommended: 20+ characters)
 minlen = 14
-dcredit = -1
-ucredit = -1
-lcredit = -1
-ocredit = -1
-difok = 4
-maxrepeat = 3
-usercheck = 1
-dictcheck = 1
+
+# Minimum requirements (negative values = mandatory minimum counts)
+dcredit = -1      # Require at least 1 digit (0-9)
+ucredit = -1      # Require at least 1 uppercase letter (A-Z)
+lcredit = -1      # Require at least 1 lowercase letter (a-z)
+ocredit = -1      # Require at least 1 special character (!@#$%^&*)
+
+# Additional complexity requirements
+difok = 4         # Require at least 4 characters different from old password
+maxrepeat = 2      # Max 2 consecutive identical characters
+maxclassrepeat = 2 # Max 2 consecutive characters from same class
+maxsequence = 2    # Max 2 monotonic character sequences (e.g., 123, abc)
+
+# Security checks (all enabled)
+usercheck = 1      # Check if password contains username
+dictcheck = 1      # Check against common dictionary words
+gecoscheck = 1     # Check against GECOS field information
+enforcing = 1      # Reject weak passwords (for all users including root)
+
+# Reject common weak patterns
+badwords = password secret admin root knel football tier0 12345 qwerty
+
+# Additional restrictions
+minclass = 3      # Require at least 3 of 4 character classes
+# Classes: digits, uppercase, lowercase, other characters
 EOF

  echo "Password policy configured at $output_file"
+  echo "Requirements: 14+ chars, 1 uppercase, 1 lowercase, 1 digit, 1 special char"
 }

 # Function to configure system limits