Bladeren bron

CIS 5.4.1.x

* CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
* CIS 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)
* CIS 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
* CIS 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)

Related-Prod: PROD-18386

Change-Id: I42697c31823c631acb1528ca917b39c069fb72bf
pull/170/head
Dmitry Teselkin 6 jaren geleden
bovenliggende
commit
bf79ba4369
5 gewijzigde bestanden met toevoegingen van 211 en 0 verwijderingen
  1. +52
    -0
      metadata/service/system/cis/cis-5-4-1-1.yml
  2. +52
    -0
      metadata/service/system/cis/cis-5-4-1-2.yml
  3. +52
    -0
      metadata/service/system/cis/cis-5-4-1-3.yml
  4. +51
    -0
      metadata/service/system/cis/cis-5-4-1-4.yml
  5. +4
    -0
      metadata/service/system/cis/init.yml

+ 52
- 0
metadata/service/system/cis/cis-5-4-1-1.yml Bestand weergeven

@@ -0,0 +1,52 @@
# CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
#
# Description
# ===========
# The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to
# force passwords to expire once they reach a defined age. It is recommended
# that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days.
#
# Rationale
# =========
# The window of opportunity for an attacker to leverage compromised credentials
# or successfully compromise credentials via an online brute force attack is
# limited by the age of the password. Therefore, reducing the maximum age of a
# password also reduces an attacker's window of opportunity.
#
# Audit
# =====
# Run the following command and verify PASS_MAX_DAYS is 90 or less:
#
# # grep PASS_MAX_DAYS /etc/login.defs
# PASS_MAX_DAYS 90
#
# Verify all users with a password have their maximum days between password
# change set to 90 or less:
#
# # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
# <list of users>
# # chage --list <user>
# Maximum number of days between password change: 90
#
# Remediation
# ===========
# Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs :
#
# PASS_MAX_DAYS 90
#
# Modify user parameters for all users with a password set to match:
#
# # chage --maxdays 90 <user>
#
# Notes
# =====
# You can also check this setting in /etc/shadow directly. The 5th field
# should be 90 or less for all users with a password.
#
parameters:
linux:
system:
login_defs:
PASS_MAX_DAYS:
value: 90


+ 52
- 0
metadata/service/system/cis/cis-5-4-1-2.yml Bestand weergeven

@@ -0,0 +1,52 @@
# CIS 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)
#
# Description
# ===========
# The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to
# prevent users from changing their password until a minimum number of days
# have passed since the last time the user changed their password. It is
# recommended that PASS_MIN_DAYS parameter be set to 7 or more days.
#
# Rationale
# =========
# By restricting the frequency of password changes, an administrator can
# prevent users from repeatedly changing their password in an attempt to
# circumvent password reuse controls.
#
# Audit
# =====
# Run the following command and verify PASS_MIN_DAYS is 7 or more:
#
# # grep PASS_MIN_DAYS /etc/login.defs
# PASS_MIN_DAYS 7
#
# Verify all users with a password have their minimum days between password
# change set to 7 or more:
#
# # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
# <list of users>
# # chage --list <user>
# Minimum number of days between password change: 7
#
# Remediation
# ===========
# Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs :
#
# PASS_MIN_DAYS 7
#
# Modify user parameters for all users with a password set to match:
#
# # chage --mindays 7 <user>
#
# Notes
# =====
# You can also check this setting in /etc/shadow directly. The 5th field
# should be 7 or more for all users with a password.
#
parameters:
linux:
system:
login_defs:
PASS_MIN_DAYS:
value: 7


+ 52
- 0
metadata/service/system/cis/cis-5-4-1-3.yml Bestand weergeven

@@ -0,0 +1,52 @@
# CIS 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
#
# Description
# ===========
# The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to
# notify users that their password will expire in a defined number of days.
# It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days.
#
# Rationale
# =========
# Providing an advance warning that a password will be expiring gives users
# time to think of a secure password. Users caught unaware may choose a simple
# password or write it down where it may be discovered.
#
# Audit
# =====
# Run the following command and verify PASS_WARN_AGE is 7 or more:
#
# # grep PASS_WARN_AGE /etc/login.defs
# PASS_WARN_AGE 7
#
# Verify all users with a password have their number of days of warning before
# password expires set to 7 or more:
#
# # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
# <list of users>
# # chage --list <user>
# Number of days of warning before password expires: 7
#
# Remediation
# ===========
#
# Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs :
#
# PASS_WARN_AGE 7
#
# Modify user parameters for all users with a password set to match:
#
# # chage --warndays 7 <user>
#
# Notes
# =====
# You can also check this setting in /etc/shadow directly. The 6th field
# should be 7 or more for all users with a password.
#
parameters:
linux:
system:
login_defs:
PASS_WARN_AGE:
value: 7


+ 51
- 0
metadata/service/system/cis/cis-5-4-1-4.yml Bestand weergeven

@@ -0,0 +1,51 @@
# CIS 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
#
# Description
# ===========
# User accounts that have been inactive for over a given period of time can be
# automatically disabled. It is recommended that accounts that are inactive
# for 30 days after password expiration be disabled.
#
# Rationale
# =========
# Inactive accounts pose a threat to system security since the users are not
# logging in to notice failed login attempts or other anomalies.
#
# Audit
# =====
# Run the following command and verify INACTIVE is 30 or less:
#
# # useradd -D | grep INACTIVE
# INACTIVE=30
#
# Verify all users with a password have Password inactive no more than 30 days
# after password expires:
#
# # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
# <list of users>
# # chage --list <user>
# Password inactive: <date>
#
# Remediation
# ===========
# Run the following command to set the default password inactivity period to
# 30 days:
#
# # useradd -D -f 30
#
# Modify user parameters for all users with a password set to match:
#
# # chage --inactive 30 <user>
#
# Notes
# =====
# You can also check this setting in /etc/shadow directly. The 7th field
# should be 30 or less for all users with a password.
#
parameters:
linux:
system:
login_defs:
INACTIVE:
value: 30


+ 4
- 0
metadata/service/system/cis/init.yml Bestand weergeven

@@ -31,6 +31,10 @@ classes:
- service.linux.system.cis.cis-3-5-2
- service.linux.system.cis.cis-3-5-3
- service.linux.system.cis.cis-3-5-4
- service.linux.system.cis.cis-5-4-1-1
- service.linux.system.cis.cis-5-4-1-2
- service.linux.system.cis.cis-5-4-1-3
- service.linux.system.cis.cis-5-4-1-4
- service.linux.system.cis.cis-6-1-2
- service.linux.system.cis.cis-6-1-3
- service.linux.system.cis.cis-6-1-4

Laden…
Annuleren
Opslaan