
26 KiB

harbian audit Debian Linux 9 Benchmark

5.7 Install screen (scored)

Profile Applicability

Level 4


A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The screen package allows for a session lock to be implemented and configured.


You can use the lock function of the screen to lock the current terminal and prevent the current session from exiting due to timeout.


Verify the operating system has the screen package installed. Check to see if the screen package is installed with the following command:

# dpkg -s screen | grep  '^Status: install'


Install the screen program (if it is not on the system) with the following command:

# apt-get install screen

The console can now be locked with the following key combination: ctrl+a x

8.5 Verifies integrity all packages (scored)

Profile Applicability

Level 5


Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.


Verify integrity all packages features to to monitor the files of the packages installed by the system.


Perform the following to determine(example):

# dpkg -V 
??5?????? c /etc/sudoers
??5?????? c /etc/vim/vimrc


Run the following command to determine which package owns the file:

# dpkg -S <filename>

If the confirmation is not modified by owner, the package can be reinstalled from a apt repository using the command:

# apt-get --reinstall <packagename> 

9.2.1 Set password creation requirement Parameters Using pam_cracklib: retry option (scored)

Profile Applicability

Level 2


When user at 3 times enter error password, returning error.


Prevent multiple attempts and guess the password.


The "retry" option sets the number of attempt password times. Check for the value of the "retry" option in "/etc/pam.d/common-password" with the following command:

# grep retry /etc/pam.d/common-password 
password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3

If the value of "retry" is set to more than "3", this is a finding.


Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3 

9.2.2 Set password creation requirement Parameters Using pam_cracklib: minlen option (scored)

Profile Applicability

Level 2


Passwords must be a minimum of 14 characters in length.


The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force Passwords are one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.


Verify the operating system enforces a minimum 14-character password length. The "minlen" option sets the minimum number of characters in a new password. Check for the value of the "minlen" option in "/etc/pam.d/common-password " with the following command:

# grep minlen /etc/pam.d/common-password 
password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3 

If the command does not return a "minlen" value of 14 or greater, this is a finding.


Configure operating system to enforce a minimum 14-character password length. Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password	  requisite			pam_cracklib.so retry=3 minlen=14 difok=3

9.2.3 Set password creation requirement Parameters Using pam_cracklib: dcredit option (scored)

Profile Applicability

Level 2


When passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.


Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.


The value to require a number of numeric characters to be set is expressed as a negative number in "/etc/pam.d/common-password ". Check the value for "dcredit" in "/etc/pam.d/common-password" with the following command:

# grep dcredit /etc/pam.d/common-password  
password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3  dcredit=-1

If the value of "dcredit" is not set to a negative value, this is a finding.


Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option. Add the following line to /etc/pam.d/common-password (or modify the line to have the required value):

password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3  dcredit=-1

9.2.4 Set password creation requirement Parameters Using pam_cracklib: ucredit option (scored)

Profile Applicability

Level 2


When passwords are changed or new passwords are established, the new password must contain at least one upper-case character.


Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.


The value to require a number of upper-case characters to be set is expressed as a negative number in "/etc/pam.d/common-password". Check the value for "ucredit" in "/etc/pam.d/common-password" with the following command:

# grep ucredit /etc/pam.d/common-password 
password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 

If the value of "ucredit" is not set to a negative value, this is a finding.


Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1

9.2.5 Set password creation requirement Parameters Using pam_cracklib: ocredit option (scored)

Profile Applicability

Level 2


When passwords are changed or new passwords are assigned, the new password must contain at least one special character.


Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.


Verify the operating system enforces password complexity by requiring that at least one special character be used. Note: The value to require a number of special characters to be set is expressed as a negative number in "/etc/pam.d/common-password". Check the value for "ocredit" in "/etc/pam.d/common-password" with the following command:

# grep ocredit /etc/pam.d/common-password 
password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3 nocredit=-1

If the value of "ocredit" is not set to a negative value, this is a finding.


Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3 ocredit=-1 

9.2.6 Set password creation requirement Parameters Using pam_cracklib: lcredit option (scored)

Profile Applicability

Level 2


When passwords are changed or new passwords are established, the new password must contain at least one lower-case character.


Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.


The value to require a number of lower-case characters to be set is expressed as a negative number in "/etc/pam.d/common-password ". Check the value for "lcredit" in "/etc/pam.d/common-password " with the following command:

# grep lcredit /etc/pam.d/common-password 
password	   requisite			pam_cracklib.so retry=3 minlen=8 difok=3 lcredit=-1 

If the value of "lcredit" is not set to a negative value, this is a finding.


Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password  	requisite			pam_cracklib.so retry=3 minlen=8 difok=3 lcredit=-1 

9.2.7 Set password creation requirement Parameters Using pam_cracklib: difok option (scored)

Profile Applicability

Level 2


When passwords are changed a minimum of eight of the total number of characters must be changed.


Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.


The "difok" option sets the number of characters in a password that must not be present in the old password. Check for the value of the "difok" option in "/etc/pam.d/common-password" with the following command:

# grep difok /etc/pam.d/common-password 
password  	requisite			pam_cracklib.so retry=3 minlen=8 difok=3

If the value of "difok" is set to less than "8", this is a finding.


Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password  	requisite			pam_cracklib.so retry=3 minlen=8 difok=8

9.2.8 Set password creation requirement Parameters Using pam_cracklib: minclass option (scored)

Profile Applicability

Level 2


When passwords are changed a minimum of four character classes must be changed.


Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.


The "minclass" option sets the minimum number of required classes of characters for the new password (digits, upper-case, lower-case, others). Check for the value of the "minclass" option in "/etc/pam.d/common-password" with the following command:

# grep minclass /etc/pam.d/common-password
password  	requisite			pam_cracklib.so retry=3 minlen=8 difok=8 minclass=4

If the value of "minclass" is set to less than "4", this is a finding.


Configure the operating system to require the change of at least four character classes when passwords are changed by setting the "minclass" option. Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password  	requisite			pam_cracklib.so retry=3 minlen=8 difok=8 minclass=4 

9.2.9 Set password creation requirement Parameters Using pam_cracklib: maxrepeat option (scored)

Profile Applicability

Level 2


When passwords are changed the number of repeating consecutive characters must not be more than three characters.


Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.


The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password. Check for the value of the "maxrepeat" option in "/etc/pam.d/common-password" with the following command:

# grep maxrepeat /etc/pam.d/common-password 
password  	requisite			pam_cracklib.so retry=3 minlen=8 difok=8 maxrepeat=3

If the value of "maxrepeat" is set to more than "3", this is a finding.


Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option. Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password  	requisite			pam_cracklib.so retry=3 minlen=8 difok=8 maxrepeat=3

9.2.10 Set password creation requirement Parameters Using pam_cracklib: maxclassrepeat option (scored)

Profile Applicability

Level 2


When passwords are changed the number of repeating characters of the same character class must not be more than four characters.


Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.


The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. Check for the value of the "maxclassrepeat" option in "/etc/pam.d/common-password" with the following command:

# grep maxclassrepeat /etc/pam.d/common-password
password	requisite			pam_cracklib.so retry=3 minlen=8 difok=3 maxclassrepeat=4

If the value of "maxclassrepeat" is set to more than "4", this is a finding.


Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option. Add the following line to "/etc/pam.d/common-password" conf (or modify the line to have the required value):

password	requisite			pam_cracklib.so retry=3 minlen=8 difok=3 maxclassrepeat=4

9.2.13 Set password creation requirement Parameters Using pam_unix: sha512 option (scored)

Profile Applicability

Level 2


The PAM system service must be configured to store only encrypted representations of passwords.


Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.


Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. Check that the system is configured to create SHA512 hashed passwords with the following command:

# grep "password.*pam_unix.*sha512" /etc/pam.d/common-password    
password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512

If the "/etc/pam.d/common-password" configuration files allow for password hashes other less than SHA512 to be used, this is a finding.


Configure the operating system to store only SHA512 encrypted representations of passwords. Add the following line in "/etc/pam.d/common-password":

password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512

9.2.14 Check auth config is not blank or null passwords using pam_unix (scored)

Profile Applicability

Level 2


The system must not have accounts configured with blank or null passwords.


If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.


To verify that null passwords cannot be used, run the following command:

# grep nullok /etc/pam.d/common-auth
# grep nullok_secure /etc/pam.d/common-auth

If this produces any output, it may be possible to log on with accounts with empty passwords. If null passwords can be used, this is a finding.


If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" to prevent logons with empty passwords.

# sed -ie "s/nullok//"  /etc/pam.d/common-auth
# sed -ie "s/nullok_secure//"  /etc/pam.d/common-auth

10.1.4 Set encrypt method (Scored)

Profile Applicability

Level 3


The shadow file must be configured to store only encrypted representations of passwords.


Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.


Verify the system's shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. Check that the system is configured to create SHA512 hashed passwords with the following command:

# grep -i encrypt /etc/login.defs

If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.


Configure the operating system to store only SHA512 encrypted representations of passwords. Add or update the following line in "/etc/login.defs":


10.1.5 Set accounts minimum password lifetime (Scored)

Profile Applicability

Level 3


Passwords must be restricted to a 24 hours/1 day minimum lifetime.


Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.


Check whether the minimum time period between password changes for each user account is one day or greater.

# awk -F: '$4 < 1 {print $1}' /etc/shadow 

If any results are returned that are not associated with a system account, this is a finding.


Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:

# chage -m 1 [username]

10.1.6 Set accounts maximum password lifetime (Scored)

Profile Applicability

Level 3


Existing passwords must be restricted to a 60-day maximum lifetime.


Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.


Check whether the maximum time period for existing passwords is restricted to 60 days.

# awk -F: '$5 > 60 {print $1}' /etc/shadow 

If any results are returned that are not associated with a system account, this is a finding.


Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.

# chage -M 60 [username]

10.1.7 Remove(Replace) NOPASSWD to PASSWD in the sudoers config file (Scored)

Profile Applicability

Level 3


Users must provide a password for privilege escalation.


Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.


If passwords are not being used for authentication, this is Not Applicable. Verify the operating system requires users to supply a password for privilege escalation. Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:

# grep -i nopasswd /etc/sudoers /etc/sudoers.d/*

If any uncommented line is found with a "NOPASSWD" tag, this is a finding.


Replace any occurrences of "NOPASSWD" tags to "PASSWD" tags in the file.

10.1.8 Remove(Replace) not authenticate(!authenticate) to authenticate in the sudoers config file (Scored)

Profile Applicability

Level 3


Users must re-authenticate for privilege escalation.


Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.


Verify the operating system requires users to reauthenticate for privilege escalation. Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:

# grep -i authenticate /etc/sudoers /etc/sudoers.d/*

If any line is found with a "!authenticate" tag, this is a finding.


Replace any occurrences of "!authenticate" tags to "authenticate" tags in the file.

10.1.9 Set FAIL_DELAY to wait to allow login when the last login failed (Scored)

Profile Applicability

Level 2


The delay between logon prompts following a failed console logon attempt must be at least four seconds.


Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.


Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt. Check the value of the "delay" parameter in the "/etc/pam.d/login" file with the following command:

# grep -i delay /etc/pam.d/login
auth       optional   pam_faildelay.so delay=4000000

If the value of "delay" is not set to "4000000" or greater, this is a finding.


Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. Modify the "/etc/pam.d/login" file to set the "delay" parameter to "4000000" or greater:

auth       optional   pam_faildelay.so delay=4000000


Profile Applicability

Level 5



