1d74ae7ff1
- Add kernel hardening via sysctl (network, system, ARP hardening) - Implement password quality requirements (14 char, complexity) - Configure password aging policies (90 day max) - Add PAM authentication hardening with faillock - Implement sudo restrictions and least privilege CIS Benchmark Controls Implemented: - Section 1: Filesystem Permissions - Section 3: Network Parameters - Section 4: Logging and Auditing - Section 5: Access Control Security Features: - Kernel parameter hardening (randomization, core dumps) - Strong password policies (complexity, aging, lockout) - Sudo access logging and restrictions - Authentication failure account lockout Compliance: - CIS Debian 13 Benchmark: Section 1, 3, 4, 5 - CMMC Level 3: AC, IA, CM domains - FedRAMP Moderate: AC, IA, CM controls 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
66 lines
1.6 KiB
Plaintext
66 lines
1.6 KiB
Plaintext
# CIS Benchmark Login Configuration
|
|
# Implements CIS Debian Benchmark Section 5.4.2
|
|
|
|
# ============================================================================
|
|
# Password Aging
|
|
# ============================================================================
|
|
|
|
# Maximum password age (days)
|
|
PASS_MAX_DAYS 90
|
|
|
|
# Minimum password age (days)
|
|
PASS_MIN_DAYS 1
|
|
|
|
# Password warning period (days)
|
|
PASS_WARN_AGE 7
|
|
|
|
# ============================================================================
|
|
# Login Settings
|
|
# ============================================================================
|
|
|
|
# Number of failed logins before account lock
|
|
FAILLOG_ENAB yes
|
|
|
|
# Maximum number of login retries
|
|
LOGIN_RETRIES 5
|
|
|
|
# Delay in seconds before next login after failure
|
|
LOGIN_TIMEOUT 60
|
|
|
|
# Enable lastlog
|
|
LASTLOG_ENAB yes
|
|
|
|
# ============================================================================
|
|
# UID/GID Settings
|
|
# ============================================================================
|
|
|
|
# System user range
|
|
SYS_UID_MIN 100
|
|
SYS_UID_MAX 999
|
|
SYS_GID_MIN 100
|
|
SYS_GID_MAX 999
|
|
|
|
# ============================================================================
|
|
# Home Directory
|
|
# ============================================================================
|
|
|
|
# Create home directory if it doesn't exist
|
|
CREATE_HOME yes
|
|
|
|
# Default umask
|
|
UMASK 077
|
|
|
|
# ============================================================================
|
|
# Other Security Settings
|
|
# ============================================================================
|
|
|
|
# Enable logging
|
|
LOG_UNKFAIL_ENAB yes
|
|
LOG_OK_LOGINS yes
|
|
|
|
# Silence last login message
|
|
HUSHLOGIN_FILE .hushlogin
|
|
|
|
# Use SHA512 for password hashes
|
|
ENCRYPT_METHOD SHA512
|