tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/hardenedlinux/harbian-audit

This commit is contained in:
Samson-W 2018-09-13 03:45:40 +08:00
parent bc76a18fbc 8fcc916a07
commit afde20dd49
1 changed files with 50 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
View File

@ -352,7 +352,56 @@ If the "/etc/login.defs" configuration file does not exist or allows for passwor
Configure the operating system to store only SHA512 encrypted representations of passwords. Add or update the following line in "/etc/login.defs":
```
ENCRYPT_METHOD SHA512
````
```
## 10.1.5 Set accounts minimum password lifetime (Scored)
### Profile Applicability
Level 3
### Description
Passwords must be restricted to a 24 hours/1 day minimum lifetime.
### Rationale
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
### Aduit
Check whether the minimum time period between password changes for each user account is one day or greater.
```
# awk -F: '$4 < 1 {print $1}' /etc/shadow
```
If any results are returned that are not associated with a system account, this is a finding.
### Remediation
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
```
# chage -m 1 [username]
```
## 10.1.6 Set accounts maximum password lifetime (Scored)
### Profile Applicability
Level 3
### Description
Existing passwords must be restricted to a 60-day maximum lifetime.
### Rationale
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
### Aduit
Check whether the maximum time period for existing passwords is restricted to 60 days.
```
# awk -F: '$5 > 60 {print $1}' /etc/shadow
```
If any results are returned that are not associated with a system account, this is a finding.
### Remediation
Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.
```
# chage -M 60 [username]
```
template