# CIS Benchmark PAM Password Configuration
# This file enforces password quality requirements

# Enforce strong passwords
password required pam_pwquality.so retry=3 enforce_for_root

# Use SHA512 for password hashing
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

# Lock account after failed attempts
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so nullok_secure
auth required pam_faillock.so authfail audit deny=5 unlock_time=900

# Last successful login display
session required pam_lastlog.so showfailed

# Limit resource usage
session required pam_limits.so

# Set secure umask
session optional pam_umask.so umask=077

# No delay for successful login, delay for failed
auth optional pam_faildelay.so delay=4000000