An XCCDF Group - A logical subset of the XCCDF Benchmark
/etc/pam.d
/etc/pam.d/login
/etc/pam.d/system-auth
/etc/security/opasswd
$ sudo grep pam_succeed_if /etc/pam.d/sudo
pam_lastlog
/etc/pam.d/postlogin
showfailed
session required pam_lastlog.so showfailed
silent
pam_faillock
/usr/share/doc/pam-VERSION/txts/README.pam_faillock
dir
remember
pam_pwhistory
authselect
authselect enable-feature with-pwhistory
/etc/security/pwhistory.conf
pam_unix
pam_faillock.so
/etc/security/faillock.conf
deny = <count>
authconfig
root
Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option.
fail_interval
fail_interval = <interval-in-seconds>
interval-in-seconds
unlock_time=<interval-in-seconds>
unlock_time
0
faillock
pam_pwquality
pam_pwquality(8)
pam_cracklib
password requisite pam_cracklib.so try_first_pass retry=3
password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
/etc/security/pwquality.conf
difok = 4 minlen = 14 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 maxrepeat = 3
dcredit
dictcheck
1
difok
enforce_for_root
lcredit
maxclassrepeat
maxrepeat
minclass
* Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation)
minlen
minlen=
ocredit=
ocredit
password
/etc/pam.d/password-auth
password requisite pam_pwquality.so
retry=
ucredit=
ucredit
/etc/shadow
/etc/libuser.conf
[defaults]
crypt_style = sha512
/etc/login.defs
ENCRYPT_METHOD
pam_unix.so
sha512
password sufficient pam_unix.so sha512 other arguments...
SHA_CRYPT_MIN_ROUNDS
SHA_CRYPT_MAX_ROUNDS
5000
SHA_CRYPT_MIN_ROUNDS 5000 SHA_CRYPT_MAX_ROUNDS 5000