From 2df02e3988525eee8360db1e829655a761adb461 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Mon, 19 Oct 2020 17:25:05 +0200

Subject: [PATCH 1/2] var pam unix remember, add selector

Add selector "2" to var_password_pam_unix_remember.

---

 .../accounts/accounts-pam/var_password_pam_unix_remember.var     | 1 +

 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var

index f533a36963..6e7abb3b78 100644

--- a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var

+++ b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var

@@ -18,6 +18,7 @@ options:

     "0": "0"

     10: 10

     24: 24

+    2: 2

     4: 4

     5: 5

     default: 5

From 5503605d2f9e56b07686a9f1f2f3f8418e61b8cb Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Mon, 19 Oct 2020 17:29:47 +0200

Subject: [PATCH 2/2] Select rules for password strenght management

Rule selection is based on ANSSI DAT-NT-001

---

 controls/anssi.yml                            | 45 ++++++++++++++++++-

 .../var_password_pam_minlen.var               |  2 +

 ...ar_accounts_password_minlen_login_defs.var |  2 +

 3 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/controls/anssi.yml b/controls/anssi.yml

index 26bc7f4694..3ccd0f8cb3 100644

--- a/controls/anssi.yml

+++ b/controls/anssi.yml

@@ -281,7 +281,50 @@ controls:

   - id: R18

     level: minimal

     title: Administrator password robustness

-    # rules: TBD

+    notes: >-

+      The rules selected below establish a general password strength baseline of 100 bits,

+      inspired by DAT-NT-001 and the "Password Strenght Calculator"

+      (https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/).

+

+      The baseline should be reviewed and tailored to the system's use case and needs.

+    automated: partially

+    rules:

+    # Renew passwords every 90 days

+    - var_accounts_maximum_age_login_defs=90

+    - accounts_maximum_age_login_defs

+

+    # Ensure passwords with minimum of 18 characters

+    - var_password_pam_minlen=18

+    - accounts_password_pam_minlen

+    # Enforce password lenght for new accounts

+    - var_accounts_password_minlen_login_defs=18

+    - accounts_password_minlen_login_defs

+    # Require at Least 1 Special Character in Password

+    - var_password_pam_ocredit=1

+    - accounts_password_pam_ocredit

+    # Require at Least 1 Numeric Character in Password

+    - var_password_pam_dcredit=1

+    - accounts_password_pam_dcredit

+    # Require at Least 1 Uppercase Character in Password

+    - var_password_pam_ucredit=1

+    - accounts_password_pam_ucredit

+    # Require at Least 1 Lowercase Character in Password

+    - var_password_pam_lcredit=1

+    - accounts_password_pam_lcredit

+

+    # Lock out users after 3 failed authentication attempts within 15 min

+    - var_accounts_passwords_pam_faillock_fail_interval=900

+    - accounts_passwords_pam_faillock_interval

+    - var_accounts_passwords_pam_faillock_deny=3

+    - accounts_passwords_pam_faillock_deny

+    - accounts_passwords_pam_faillock_deny_root

+    # Automatically unlock users after 15 min to prevent DoS

+    - var_accounts_passwords_pam_faillock_unlock_time=900

+    - accounts_passwords_pam_faillock_unlock_time

+

+    # Do not reuse last two passwords

+    - var_password_pam_unix_remember=2

+    - accounts_password_pam_unix_remember

   - id: R19

     level: intermediary

diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var

index f506a090bb..873d907ab9 100644

--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var

+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var

@@ -15,6 +15,8 @@ options:

     12: 12

     14: 14

     15: 15

+    18: 18

+    20: 20

     6: 6

     7: 7

     8: 8

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var

index f41ff432ec..662c53b076 100644

--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var

+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var

@@ -13,6 +13,8 @@ options:

     12: 12

     14: 14

     15: 15

+    18: 18

+    20: 20

     6: 6

     8: 8

     default: 15