1d74ae7ff1
- Add kernel hardening via sysctl (network, system, ARP hardening) - Implement password quality requirements (14 char, complexity) - Configure password aging policies (90 day max) - Add PAM authentication hardening with faillock - Implement sudo restrictions and least privilege CIS Benchmark Controls Implemented: - Section 1: Filesystem Permissions - Section 3: Network Parameters - Section 4: Logging and Auditing - Section 5: Access Control Security Features: - Kernel parameter hardening (randomization, core dumps) - Strong password policies (complexity, aging, lockout) - Sudo access logging and restrictions - Authentication failure account lockout Compliance: - CIS Debian 13 Benchmark: Section 1, 3, 4, 5 - CMMC Level 3: AC, IA, CM domains - FedRAMP Moderate: AC, IA, CM controls 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
43 lines
899 B
Plaintext
43 lines
899 B
Plaintext
# CIS Benchmark Password Policy
|
|
# Implements CIS Debian Benchmark Section 5.4.1
|
|
|
|
# ============================================================================
|
|
# PAM Quality Requirements
|
|
# ============================================================================
|
|
|
|
# Minimum password length
|
|
minlen = 14
|
|
|
|
# Minimum number of lowercase characters
|
|
lcredit = -1
|
|
|
|
# Minimum number of uppercase characters
|
|
ucredit = -1
|
|
|
|
# Minimum number of digits
|
|
dcredit = -1
|
|
|
|
# Minimum number of special characters
|
|
ocredit = -1
|
|
|
|
# Maximum number of consecutive characters
|
|
maxclassrepeat = 3
|
|
|
|
# Maximum number of same consecutive characters
|
|
maxrepeat = 3
|
|
|
|
# Reject passwords containing the username
|
|
usercheck = 1
|
|
|
|
# Reject passwords containing common patterns
|
|
enforce_for_root
|
|
|
|
# Minimum number of character changes
|
|
difok = 3
|
|
|
|
# Check for common passwords
|
|
dictcheck = 1
|
|
|
|
# Reject passwords in dictionary
|
|
authtok_type =
|