ANSSI-BP-028 (intermediary)
Rules and Groups employed by this XCCDF Profile
-
Limit Password Reuse
Do not allow users to reuse recent passwords. This can be accomplished by using therememberoption for thepam_unixorpam_pwhistoryPAM modules.Rule Medium Severity -
Set Deny For Failed Password Attempts
The SUSE Linux Enterprise 12 operating system must lock an account after - at most - <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_...Rule Medium Severity -
Configure the root Account lock for Failed Password Attempts via pam_tally2
This rule configures the system to lock out therootaccount after a number of incorrect login attempts usingpam_tally2.so.Rule Medium Severity -
Set Lockout Time for Failed Password Attempts using pam_tally2
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts usingpam_tally2.so.Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of...Group -
Set Password Quality Requirements, if using pam_cracklib
The <code>pam_cracklib</code> PAM module can be configured to meet requirements for a variety of policies. <br> <br> For example, to configure <code>pam_cracklib</code> to require at least...Group -
Set Password Strength Minimum Digit Characters
The pam_cracklib module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many d...Rule Medium Severity -
Set Password Strength Minimum Lowercase Characters
The pam_cracklib module's <code>lcredit=</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain...Rule Medium Severity -
Set Password Minimum Length
The pam_cracklib module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_valu...Rule Medium Severity -
Set Password Strength Minimum Special Characters
The pam_cracklib module's <code>ocredit=</code> parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be req...Rule Medium Severity -
Set Password Strength Minimum Uppercase Characters
The pam_cracklib module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain...Rule Medium Severity -
Set Password Quality Requirements with pam_pwquality
The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br> <br> For example, to configure <code>pam_pwquality</code> to require at lea...Group -
Set Password Hashing Algorithm
The system's default algorithm for storing password hashes in/etc/shadowis SHA-512. This can be configured in several locations.Group -
Set PAM''s Password Hashing Algorithm
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/common-password", the <code>password</code> section of the file controls which PAM modu...Rule Medium Severity -
Set Password Hashing Rounds in /etc/login.defs
In <code>/etc/login.defs</code>, ensure <code>SHA_CRYPT_MIN_ROUNDS</code> and <code>SHA_CRYPT_MAX_ROUNDS</code> has the minimum value of <code>5000</code>. For example: <pre>SHA_CRYPT_MIN_ROUNDS 50...Rule Medium Severity -
Protect Physical Console Access
It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. However, there are some...Group -
Protect Accounts by Restricting Password-Based Login
Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the <code>/etc/passwd</code> and <code>/etc/...Group -
Set Password Expiration Parameters
The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>login</code> consult <code>/etc/login.defs</code> ...Group -
Set Password Minimum Length in login.defs
To specify password length requirements for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_LEN <xccdf-1.2:sub idref="xccdf_org.ssgproj...Rule Medium Severity -
Restrict Root Logins
Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivileged account, and then use <code>su</code> or <cod...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.