An XCCDF Group - A logical subset of the XCCDF Benchmark
/etc/pam.d
/etc/pam.d/login
/etc/pam.d/system-auth
/etc/security/opasswd
$ sudo grep pam_succeed_if /etc/pam.d/sudo
pam_lastlog
/etc/pam.d/postlogin
showfailed
session [default=1] pam_lastlog.so showfailed
silent
pam_faillock
/usr/share/doc/pam-VERSION/txts/README.pam_faillock
pam_pwquality
pam_pwquality(8)
pam_cracklib
password requisite pam_cracklib.so try_first_pass retry=3
password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
/etc/security/pwquality.conf
difok = 4 minlen = 14 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 maxrepeat = 3
/etc/shadow
cac
default
other
/etc/passwd
^(bin|oracle|sapadm)$
root
NUM_DAYS
USER
$ sudo chage -I NUM_DAYS USER
-E
/etc/default/useradd
$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
/etc/login.defs
passwd
su
login
login.defs(5)
PASS_MAX_DAYS
-M
PASS_MIN_DAYS
-m
PASS_WARN_AGE
-W
$ sudo chage -M 180 -m 7 -W 7 USER
PASS_MIN_LEN
15
12
/etc/pam.d/password-auth
x
*
nullok
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
$ sudo passwd [username]
$ sudo passwd -l [username]
.netrc
sudo
/etc/securetty
/dev/console
/dev/tty*
/dev/vc/*
$ sudo echo > /etc/securetty
ttyS0 ttyS1
vc/1 vc/2 vc/3 vc/4
FAIL_DELAY
/etc/security/limits.conf
/etc/security/limits.d/
* hard maxlogins
$ sudo mkdir --mode 000 /tmp/tmp-inst
/etc/security/namespace.conf
/tmp /tmp/tmp-inst/ level root,adm
$ sudo mkdir --mode 000 /var/tmp/tmp-inst
/var/tmp /var/tmp/tmp-inst/ level root,adm
# ls -ld /home/USER
# chmod g-w /home/USER # chmod o-rwx /home/USER
# echo $PATH
.
# ls -ld DIR
..
/
PATH=:/bin PATH=/bin: PATH=/bin::/sbin
umask
UMASK
/etc/profile
/etc/profile.d