From ad23d12edab309d855717691335a37415eaad3af Mon Sep 17 00:00:00 2001 From: ReachableCEO Date: Thu, 29 Jan 2026 10:00:07 -0500 Subject: [PATCH] feat: enhance password complexity requirements to NIST SP 800-63B MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Enforce 14+ character minimum, require all character classes (uppercase, lowercase, digit, special), prevent common patterns, check against dictionary and bad words, and apply to all users including root. 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush --- src/security-hardening.sh | 40 ++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/src/security-hardening.sh b/src/security-hardening.sh index 9c98a22..4b4523e 100755 --- a/src/security-hardening.sh +++ b/src/security-hardening.sh @@ -61,19 +61,41 @@ configure_password_policy() { local output_file="${1:-/etc/security/pwquality.conf}" cat >"$output_file" <<'EOF' -# Password quality requirements +# KNEL-Football Password Quality Requirements (MANDATORY for tier0 security) +# Reference: NIST SP 800-63B, CIS Benchmarks for Debian +# All passwords/passphrases must meet these strict requirements + +# Minimum length: 14 characters (strongly recommended: 20+ characters) minlen = 14 -dcredit = -1 -ucredit = -1 -lcredit = -1 -ocredit = -1 -difok = 4 -maxrepeat = 3 -usercheck = 1 -dictcheck = 1 + +# Minimum requirements (negative values = mandatory minimum counts) +dcredit = -1 # Require at least 1 digit (0-9) +ucredit = -1 # Require at least 1 uppercase letter (A-Z) +lcredit = -1 # Require at least 1 lowercase letter (a-z) +ocredit = -1 # Require at least 1 special character (!@#$%^&*) + +# Additional complexity requirements +difok = 4 # Require at least 4 characters different from old password +maxrepeat = 2 # Max 2 consecutive identical characters +maxclassrepeat = 2 # Max 2 consecutive characters from same class +maxsequence = 2 # Max 2 monotonic character sequences (e.g., 123, abc) + +# Security checks (all enabled) +usercheck = 1 # Check if password contains username +dictcheck = 1 # Check against common dictionary words +gecoscheck = 1 # Check against GECOS field information +enforcing = 1 # Reject weak passwords (for all users including root) + +# Reject common weak patterns +badwords = password secret admin root knel football tier0 12345 qwerty + +# Additional restrictions +minclass = 3 # Require at least 3 of 4 character classes +# Classes: digits, uppercase, lowercase, other characters EOF echo "Password policy configured at $output_file" + echo "Requirements: 14+ chars, 1 uppercase, 1 lowercase, 1 digit, 1 special char" } # Function to configure system limits