KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d9eb08c9fde9b64f14b94fe268e78a2d9b5a718c
football/chroot-overlay/etc/pam.d/common-password-cis
Charles N Wyble 1d74ae7ff1 feat: implement CIS Debian Benchmark hardening controls 
- Add kernel hardening via sysctl (network, system, ARP hardening)
- Implement password quality requirements (14 char, complexity)
- Configure password aging policies (90 day max)
- Add PAM authentication hardening with faillock
- Implement sudo restrictions and least privilege

CIS Benchmark Controls Implemented:
- Section 1: Filesystem Permissions
- Section 3: Network Parameters
- Section 4: Logging and Auditing
- Section 5: Access Control

Security Features:
- Kernel parameter hardening (randomization, core dumps)
- Strong password policies (complexity, aging, lockout)
- Sudo access logging and restrictions
- Authentication failure account lockout

Compliance:
- CIS Debian 13 Benchmark: Section 1, 3, 4, 5
- CMMC Level 3: AC, IA, CM domains
- FedRAMP Moderate: AC, IA, CM controls

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 12:33:11 -05:00

26 lines
819 B
Plaintext
Raw Blame History

# CIS Benchmark PAM Password Configuration
# This file enforces password quality requirements
# Enforce strong passwords
password required pam_pwquality.so retry=3 enforce_for_root
# Use SHA512 for password hashing
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
# Lock account after failed attempts
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so nullok_secure
auth required pam_faillock.so authfail audit deny=5 unlock_time=900
# Last successful login display
session required pam_lastlog.so showfailed
# Limit resource usage
session required pam_limits.so
# Set secure umask
session optional pam_umask.so umask=077
# No delay for successful login, delay for failed
auth optional pam_faildelay.so delay=4000000
Reference in New Issue View Git Blame Copy Permalink