diff --git a/src/security-hardening.sh b/src/security-hardening.sh index 9c98a22..4b4523e 100755 --- a/src/security-hardening.sh +++ b/src/security-hardening.sh @@ -61,19 +61,41 @@ configure_password_policy() { local output_file="${1:-/etc/security/pwquality.conf}" cat >"$output_file" <<'EOF' -# Password quality requirements +# KNEL-Football Password Quality Requirements (MANDATORY for tier0 security) +# Reference: NIST SP 800-63B, CIS Benchmarks for Debian +# All passwords/passphrases must meet these strict requirements + +# Minimum length: 14 characters (strongly recommended: 20+ characters) minlen = 14 -dcredit = -1 -ucredit = -1 -lcredit = -1 -ocredit = -1 -difok = 4 -maxrepeat = 3 -usercheck = 1 -dictcheck = 1 + +# Minimum requirements (negative values = mandatory minimum counts) +dcredit = -1 # Require at least 1 digit (0-9) +ucredit = -1 # Require at least 1 uppercase letter (A-Z) +lcredit = -1 # Require at least 1 lowercase letter (a-z) +ocredit = -1 # Require at least 1 special character (!@#$%^&*) + +# Additional complexity requirements +difok = 4 # Require at least 4 characters different from old password +maxrepeat = 2 # Max 2 consecutive identical characters +maxclassrepeat = 2 # Max 2 consecutive characters from same class +maxsequence = 2 # Max 2 monotonic character sequences (e.g., 123, abc) + +# Security checks (all enabled) +usercheck = 1 # Check if password contains username +dictcheck = 1 # Check against common dictionary words +gecoscheck = 1 # Check against GECOS field information +enforcing = 1 # Reject weak passwords (for all users including root) + +# Reject common weak patterns +badwords = password secret admin root knel football tier0 12345 qwerty + +# Additional restrictions +minclass = 3 # Require at least 3 of 4 character classes +# Classes: digits, uppercase, lowercase, other characters EOF echo "Password policy configured at $output_file" + echo "Requirements: 14+ chars, 1 uppercase, 1 lowercase, 1 digit, 1 special char" } # Function to configure system limits