# CIS Benchmark Login Configuration
# Implements CIS Debian Benchmark Section 5.4.2

# ============================================================================
# Password Aging
# ============================================================================

# Maximum password age (days)
PASS_MAX_DAYS 90

# Minimum password age (days)
PASS_MIN_DAYS 1

# Password warning period (days)
PASS_WARN_AGE 7

# ============================================================================
# Login Settings
# ============================================================================

# Number of failed logins before account lock
FAILLOG_ENAB yes

# Maximum number of login retries
LOGIN_RETRIES 5

# Delay in seconds before next login after failure
LOGIN_TIMEOUT 60

# Enable lastlog
LASTLOG_ENAB yes

# ============================================================================
# UID/GID Settings
# ============================================================================

# System user range
SYS_UID_MIN 100
SYS_UID_MAX 999
SYS_GID_MIN 100
SYS_GID_MAX 999

# ============================================================================
# Home Directory
# ============================================================================

# Create home directory if it doesn't exist
CREATE_HOME yes

# Default umask
UMASK 077

# ============================================================================
# Other Security Settings
# ============================================================================

# Enable logging
LOG_UNKFAIL_ENAB yes
LOG_OK_LOGINS yes

# Silence last login message
HUSHLOGIN_FILE .hushlogin

# Use SHA512 for password hashes
ENCRYPT_METHOD SHA512