# CIS Debian 13 Benchmark - PAM Password Configuration
# Implements CIS recommendations for password security

# Password quality enforcement using pwquality
password    requisite    pam_pwquality.so try_first_pass retry=3 authtok_type=
password    [success=1 default=ignore]  pam_unix.so obscure sha512 rounds=5000 use_authtok
password    sufficient    pam_unix.so sha512 rounds=5000 nullok secure try_first_pass use_authtok
password    required    pam_deny.so

# Account configuration
account    required    pam_unix.so
account    sufficient    pam_localuser.so
account    sufficient    pam_succeed_if.so uid < 1000 quiet
account    required    pam_permit.so

# Authentication configuration
auth    required    pam_env.so
auth    required    pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth    [success=1 default=bad]    pam_unix.so nullok try_first_pass
auth    [default=die]    pam_faillock.so authfail audit deny=5 unlock_time=900
auth    sufficient    pam_faillock.so authsucc audit deny=5 unlock_time=900
auth    required    pam_permit.so

# Session configuration
session    required    pam_limits.so
session    required    pam_unix.so
session    optional    pam_lastlog.so
session    optional    pam_motd.so
session    optional    pam_mail.so standard
session    required    pam_env.so

# Password history - prevent reuse of last 5 passwords
password    required    pam_pwhistory.so remember=5 use_authtok

# Session management for X11
session    optional    pam_ck_connector.so nox11
session    optional    pam_systemd.so

# Home directory creation (if needed)
session    required    pam_mkhomedir.so skel=/etc/skel/ umask=077

# Security modules
session    optional    pam_umask.so umask=077
session    optional    pam_keyinit.so revoke

# Enhanced account lockout configuration
auth    required    pam_faillock.so preauth silent audit deny=5 unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=900
auth    sufficient    pam_unix.so nullok try_first_pass
auth    [default=die]    pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=900
auth    sufficient    pam_faillock.so authsucc audit deny=5 unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=900
auth    required    pam_permit.so

# Prevent empty passwords
password    required    pam_unix.so nullok sha512 shadow try_first_pass use_authtok

# Session restrictions
session    required    pam_limits.so
session    required    pam_unix.so
session    required    pam_lastlog.so showfailed
session    required    pam_env.so readenv=1

# Additional security configurations
account    required    pam_access.so accessfile=/etc/security/access.conf
auth    required    pam_wheel.so trust use_uid
auth    optional    pam_cap.so

# Enhanced logging
auth    optional    pam_echo.so Football Secure Access System Authentication
password    optional    pam_echo.so Password complexity requirements enforced
session    optional    pam_echo.so Session monitoring enabled