An XCCDF Group - A logical subset of the XCCDF Benchmark
/etc/passwd
/etc/shadow
^(bin|oracle|sapadm)$
root
var_accounts_authorized_local_users_regex
$ sudo userdel unauthorized_user
NUM_DAYS
USER
$ sudo chage -I NUM_DAYS USER
-E
/etc/default/useradd
grep 'inactive\|pam_unix' /etc/pam.d/password-auth | grep -w auth auth required pam_lastlog.so inactive=35 auth sufficient pam_unix.so
pam_unix.so
INACTIVE=
useradd
ACCOUNT_NAME
YYYY-MM-DD
$ sudo chage -E YYYY-MM-DD ACCOUNT_NAME
$ sudo chage -E YYYY-MM-DD USER
$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
/etc/login.defs
passwd
su
login
login.defs(5)
PASS_MAX_DAYS
-M
PASS_MIN_DAYS
-m
PASS_WARN_AGE
-W
$ sudo chage -M 180 -m 7 -W 7 USER
PASS_MIN_LEN
15
12
pam_pwquality
$ sudo chage -M USER
$ sudo chage -m 1 USER
/etc/pam.d/system-auth
/etc/pam.d/password-auth
x
*
$ sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
!
$6
rounds
pam_unix
rounds=
password sufficient pam_unix.so ...existing_options... rounds=
nullok
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
$ sudo passwd [username]
$ sudo passwd -l [username]
+
/etc/group
.netrc
sudo
/etc/securetty
/dev/console
/dev/tty*
/dev/vc/*
$ sudo echo > /etc/securetty
1000
halt
sync
shutdown
nfsnobody
$ sudo usermod -L account
$ sudo usermod -s /sbin/nologin account
ttyS0 ttyS1
~/.profile
~/.bashrc
PATH
vc/1 vc/2 vc/3 vc/4
wheel
/etc/pam.d/su
auth required pam_wheel.so use_uid