Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Account Lockouts Must Persist
By setting a `dir` in the faillock configuration account lockouts will persist across reboots.Rule Medium Severity -
Limit Password Reuse: password-auth
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code>...Rule Medium Severity -
Limit Password Reuse: system-auth
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code>...Rule Medium Severity -
Limit Password Reuse
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_unix</code> or <...Rule Medium Severity -
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Configure the root Account for Failed Password Attempts
This rule configures the system to lock out the <code>root</code> account after a number of incorrect login attempts using <code>pam_faillock.so</c...Rule Medium Severity -
number of days after the last login of the user when the user will be locked out
'This option is specific for the auth or account phase. It specifies the number of days after the last login of the user when the user will be lock...Value -
Lock Accounts Must Persist
This rule ensures that the system lock out accounts using <code>pam_faillock.so</code> persist after system reboot. From "pam_faillock" man pages: ...Rule Medium Severity -
Enforce pam_faillock for Local Accounts Only
The pam_faillock module's <code>local_users_only</code> parameter controls requirements for enforcing failed lockout attempts only for local user a...Rule Medium Severity -
Set Interval For Counting Failed Password Attempts
Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system to lock out an account after a number of inc...Rule Medium Severity -
Do Not Show System Messages When Unsuccessful Logon Attempts Occur
This rule ensures the system prevents informative messages from being presented to the user pertaining to logon information after a number of incor...Rule Medium Severity -
Set Lockout Time for Failed Password Attempts
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_fail...Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure pas...Group -
Set Password Quality Requirements, if using pam_cracklib
The <code>pam_cracklib</code> PAM module can be configured to meet requirements for a variety of policies. <br><br> For example, to configure <code...Group -
Set Password Quality Requirements with pam_pwquality
The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br><br> For example, to configure <cod...Group -
dcredit
Minimum number of digits in passwordValue -
dictcheck
Prevent the use of dictionary words for passwords.Value -
difok
Minimum number of characters not present in old passwordValue -
lcredit
Minimum number of lower case in passwordValue -
maxclassrepeat
Maximum Number of Consecutive Repeating Characters in a Password From the Same Character ClassValue -
maxrepeat
Maximum Number of Consecutive Repeating Characters in a PasswordValue -
minclass
Minimum number of categories of characters that must exist in a passwordValue -
minlen
Minimum number of characters in passwordValue -
ocredit
Minimum number of other (special characters) in passwordValue -
retry
Number of retry attempts before erroring outValue -
ucredit
Minimum number of upper case in passwordValue -
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, a...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
The pam_pwquality module's <code>dictcheck</code> check if passwords contains dictionary words. When <code>dictcheck</code> is set to <code>1</code...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Characters
The pam_pwquality module's <code>difok</code> parameter sets the number of characters in a password that must not be present in and old password du...Rule Medium Severity -
number of days after a password expires until the account is permanently disabled
The number of days to wait after a password expires, until the account will be permanently disabled.Value -
Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only
The pam_pwquality module's <code>local_users_only</code> parameter controls requirements for enforcing password complexity by pam_pwquality only fo...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Enforce for root User
The pam_pwquality module's <code>enforce_for_root</code> parameter controls requirements for enforcing password complexity for the root user. Enabl...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
The pam_pwquality module's <code>maxclassrepeat</code> parameter controls requirements for consecutive repeating characters from the same character...Rule Medium Severity -
Set Password Maximum Consecutive Repeating Characters
The pam_pwquality module's <code>maxrepeat</code> parameter controls requirements for consecutive repeating characters. When set to a positive numb...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Categories
The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character t...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Length
The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xcc...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Special Characters
The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When s...Rule Medium Severity -
Ensure PAM password complexity module is enabled in password-auth
To enable PAM password complexity in password-auth file: Edit the <code>password</code> section in <code>/etc/pam.d/password-auth</code> to show <c...Rule Medium Severity -
Ensure PAM password complexity module is enabled in system-auth
To enable PAM password complexity in system-auth file: Edit the <code>password</code> section in <code>/etc/pam.d/system-auth</code> to show <code>...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
To configure the number of retry prompts that are permitted per-session: Edit the <code>/etc/security/pwquality.conf</code> to include <code>retr...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negati...Rule Medium Severity -
Set Password Hashing Algorithm
The system's default algorithm for storing password hashes in/etc/shadow
is SHA-512. This can be configured in several locations.Group -
Set Password Hashing Algorithm in /etc/libuser.conf
In <code>/etc/libuser.conf</code>, add or correct the following line in its <code>[defaults]</code> section to ensure the system will use the SHA-5...Rule Medium Severity -
warning days before password expires
The number of days' warning given before a password expires.Value -
Set Password Hashing Algorithm in /etc/login.defs
In <code>/etc/login.defs</code>, add or correct the following line to ensure the system will use <xccdf-1.2:sub idref="xccdf_org.ssgproject.content...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm - password-auth
The PAM system service can be configured to only store encrypted representations of passwords. In <code>/etc/pam.d/password-auth</code>, the <code>...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the <code>password</cod...Rule Medium Severity -
Set Password Hashing Rounds in /etc/login.defs
In <code>/etc/login.defs</code>, ensure <code>SHA_CRYPT_MIN_ROUNDS</code> and <code>SHA_CRYPT_MAX_ROUNDS</code> has the minimum value of <code>5000...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.