From f177061f81267b771297d8192234c931f689458c Mon Sep 17 00:00:00 2001 From: rchikov Date: Tue, 16 May 2023 16:06:38 +0200 Subject: [PATCH 1/2] SLE 12/15 profile updates --- controls/anssi.yml | 5 +++++ controls/pcidss_4.yml | 4 ++++ products/sle15/profiles/pcs-hardening.profile | 5 +++++ products/sle15/profiles/stig.profile | 5 +++++ 4 files changed, 19 insertions(+) diff --git a/controls/anssi.yml b/controls/anssi.yml index ddcbc880fa0..815daf010e3 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -733,20 +733,25 @@ controls: # Ensure passwords with minimum of 18 characters - var_password_pam_minlen=18 - accounts_password_pam_minlen + - cracklib_accounts_password_pam_minlen # Enforce password lenght for new accounts - var_accounts_password_minlen_login_defs=18 - accounts_password_minlen_login_defs # Require at Least 1 Special Character in Password - var_password_pam_ocredit=1 - accounts_password_pam_ocredit + - cracklib_accounts_password_pam_ocredit # Require at Least 1 Numeric Character in Password - var_password_pam_dcredit=1 + - cracklib_accounts_password_pam_dcredit - accounts_password_pam_dcredit # Require at Least 1 Uppercase Character in Password - var_password_pam_ucredit=1 - accounts_password_pam_ucredit + - cracklib_accounts_password_pam_ucredit # Require at Least 1 Lowercase Character in Password - var_password_pam_lcredit=1 + - cracklib_accounts_password_pam_lcredit - accounts_password_pam_lcredit # Lock out users after 3 failed authentication attempts within 15 min diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml index 9ea4a56eb97..c4ce21f970b 100644 --- a/controls/pcidss_4.yml +++ b/controls/pcidss_4.yml @@ -1573,7 +1573,11 @@ controls: - base status: automated rules: + - var_password_pam_dcredit=1 - var_password_pam_lcredit=1 + - var_password_pam_minlen=14 + - var_password_pam_ocredit=1 + - var_password_pam_ucredit=1 - accounts_password_pam_ucredit - accounts_password_pam_dcredit - accounts_password_pam_lcredit diff --git a/products/sle15/profiles/pcs-hardening.profile b/products/sle15/profiles/pcs-hardening.profile index fb0e6d66cf0..b4fea38798b 100644 --- a/products/sle15/profiles/pcs-hardening.profile +++ b/products/sle15/profiles/pcs-hardening.profile @@ -19,6 +19,11 @@ selections: - var_accounts_fail_delay=4 - var_accounts_tmout=15_min - inactivity_timeout_value=15_minutes + - var_password_pam_dcredit=1 + - var_password_pam_lcredit=1 + - var_password_pam_minlen=15 + - var_password_pam_ocredit=1 + - var_password_pam_ucredit=1 - sshd_idle_timeout_value=15_minutes - var_sudo_timestamp_timeout=always_prompt - var_password_pam_unix_remember=5 diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile index 53a6a8971d9..fab6a7d5c22 100644 --- a/products/sle15/profiles/stig.profile +++ b/products/sle15/profiles/stig.profile @@ -19,6 +19,11 @@ selections: - var_accounts_fail_delay=4 - var_accounts_tmout=15_min - inactivity_timeout_value=15_minutes + - var_password_pam_dcredit=1 + - var_password_pam_lcredit=1 + - var_password_pam_minlen=15 + - var_password_pam_ocredit=1 + - var_password_pam_ucredit=1 - var_sudo_timestamp_timeout=always_prompt - var_password_pam_unix_remember=5 - var_accounts_maximum_age_login_defs=60 From 05b1bf4b07c270b5e6babc15801e6ba3325ace80 Mon Sep 17 00:00:00 2001 From: rchikov Date: Mon, 22 May 2023 08:35:33 +0200 Subject: [PATCH 2/2] Change of variable settings for PCI DSS --- controls/pcidss_4.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml index c4ce21f970b..d1a87e96b10 100644 --- a/controls/pcidss_4.yml +++ b/controls/pcidss_4.yml @@ -1575,7 +1575,7 @@ controls: rules: - var_password_pam_dcredit=1 - var_password_pam_lcredit=1 - - var_password_pam_minlen=14 + - var_password_pam_minlen=12 - var_password_pam_ocredit=1 - var_password_pam_ucredit=1 - accounts_password_pam_ucredit