Guide to the Secure Configuration of SUSE Linux Enterprise 15
Rules, Groups, and Values defined within the XCCDF Benchmark
-
faillock directory
The directory where the user files with the failure records are keptValue -
fail_interval
Interval for counting failed login attempts before account lockoutValue -
fail_unlock_time
Seconds before automatic unlocking or permanently locking after excessive failed loginsValue -
tally2_unlock_time
Seconds before automatic unlocking or permanently locking after excessive failed loginsValue -
faildelay_delay
Delay next login attempt after a failed loginValue -
pwhistory_remember
Prevent password re-use using password history lookupValue -
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Account Lockouts Must Persist
By setting a `dir` in the faillock configuration account lockouts will persist across reboots.Rule Medium Severity -
Limit Password Reuse
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code>...Rule Medium Severity -
Limit Password Reuse
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_unix</code> or <...Rule Medium Severity -
Enforce Delay After Failed Logon Attempts
To configure the system to introduce a delay after failed logon attempts, add or correct the <code>pam_faildelay</code> settings in <code>/etc/pam....Rule Medium Severity -
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Set Deny For Failed Password Attempts
The SUSE Linux Enterprise 15 operating system must lock an account after - at most - <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xcc...Rule Medium Severity -
Configure the root Account lock for Failed Password Attempts via pam_tally2
This rule configures the system to lock out therootaccount after a number of incorrect login attempts usingpam_tally2.so.Rule Medium Severity -
Set Lockout Time for Failed Password Attempts using pam_tally2
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_tall...Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure pas...Group -
Set Password Quality Requirements, if using pam_cracklib
The <code>pam_cracklib</code> PAM module can be configured to meet requirements for a variety of policies. <br><br> For example, to configure <code...Group -
Set Password Strength Minimum Digit Characters
The pam_cracklib module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, an...Rule Medium Severity -
Set Password Strength Minimum Different Characters
The pam_cracklib module's <code>difok</code> parameter controls requirements for usage of different characters during a password change. The number...Rule Medium Severity -
Set Password Strength Minimum Lowercase Characters
The pam_cracklib module's <code>lcredit=</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.