tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add description for 9.2.11

This commit is contained in:
samson 2018-11-07 17:46:12 +08:00
parent e0265d7517
commit 6b75454207
1 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
View File

@ -653,6 +653,31 @@ Configure the operating system to require the change of the number of repeating
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 maxclassrepeat=4 password requisite pam_cracklib.so retry=3 minlen=8 difok=3 maxclassrepeat=4
``` ```
## 9.2.11 Set deny times for Password Attempts (scored)
### Profile Applicability
Level 3
### Description
Accounts subject to three unsuccessful logon attempts must be deny login.
### Rationale
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
### Aduit
Check that the system deny an account for the maximum period after three unsuccessful logon attempts with the following command:
```
# grep -w "^auth.*pam_tally2.so.*deny" /etc/pam.d/common-auth
auth required pam_tally2.so deny=3 unlock_time=900 even_deny_root
```
If the "deny" setting is less than or equal to "3" on both lines with the "pam_tally2.so" module name or is missing from a line, this is a finding.
### Remediation
Configure the operating system to deny an account when three unsuccessful logon attempts are made. Modify "/etc/pam.d/common-auth" files to match the following lines:
```
auth required pam_tally2.so deny=3 unlock_time=900 even_deny_root
```
## 9.2.13 Set password creation requirement Parameters Using pam_unix: sha512 option (scored) ## 9.2.13 Set password creation requirement Parameters Using pam_unix: sha512 option (scored)
### Profile Applicability ### Profile Applicability