From a40e97bfc03f2e24fb882cddded5d2e36f40e5f5 Mon Sep 17 00:00:00 2001 From: Maik Stuebner Date: Wed, 21 Jul 2021 14:26:43 +0200 Subject: [PATCH 1/3] Add Configuration of password remember and set default to 60 see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46 Signed-off-by: Maik Stuebner --- roles/os_hardening/README.md | 3 +++ roles/os_hardening/defaults/main.yml | 1 + roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index 000941976..fe4541ab4 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -106,6 +106,9 @@ We know that this is the case on Raspberry Pi. - `os_auth_pw_min_age` - Default: `7` - Description: minimum password age (before allowing any other password change). +- `os_auth_pw_remember` + - Default: `60` + - Description: how many used passwords are record. - `os_auth_retries` - Default: `5` - Description: the maximum number of authentication attempts, before the account is locked for some time. diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 2e7c27819..935f2d374 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -3,6 +3,7 @@ os_desktop_enable: false os_env_extra_user_paths: [] os_auth_pw_max_age: 60 os_auth_pw_min_age: 7 # Discourage password cycling +os_auth_pw_remember: 60 # Specify how many used passwords are record os_auth_retries: 5 os_auth_lockout_time: 600 # Seconds (600 = 10min) os_auth_timeout: 60 diff --git a/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 b/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 index 21d54fcf6..676251559 100644 --- a/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 +++ b/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 @@ -36,7 +36,7 @@ account required pam_permit.so password requisite pam_pwquality.so {{ os_auth_pam_pwquality_options }} {% endif %} {# NSA 2.3.3.6 Limit Password Reuse #} -password requisite pam_pwhistory.so remember=5 use_authtok +password requisite pam_pwhistory.so remember={{ os_auth_pw_remember }} use_authtok {# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 #} password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok rounds={{ os_sha_crypt_min_rounds }} {% if (os_auth_pam_sssd_enable | bool) %} From cfb7817c232d1eadfa70ce2236dc955b7e1e6969 Mon Sep 17 00:00:00 2001 From: Maik Stuebner Date: Thu, 22 Jul 2021 09:38:10 +0200 Subject: [PATCH 2/3] set default for password remember back to 5 Signed-off-by: Maik Stuebner --- roles/os_hardening/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 935f2d374..95906dd6c 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -3,7 +3,7 @@ os_desktop_enable: false os_env_extra_user_paths: [] os_auth_pw_max_age: 60 os_auth_pw_min_age: 7 # Discourage password cycling -os_auth_pw_remember: 60 # Specify how many used passwords are record +os_auth_pw_remember: 5 # Specify how many used passwords are record os_auth_retries: 5 os_auth_lockout_time: 600 # Seconds (600 = 10min) os_auth_timeout: 60 From dc2c68038961a9e1dd9c290661ef28ca1dfa0779 Mon Sep 17 00:00:00 2001 From: Maik Stuebner Date: Thu, 22 Jul 2021 09:52:39 +0200 Subject: [PATCH 3/3] readme default for password remember back to 5 Signed-off-by: Maik Stuebner --- roles/os_hardening/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index fe4541ab4..5897d0f3e 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -107,7 +107,7 @@ We know that this is the case on Raspberry Pi. - Default: `7` - Description: minimum password age (before allowing any other password change). - `os_auth_pw_remember` - - Default: `60` + - Default: `5` - Description: how many used passwords are record. - `os_auth_retries` - Default: `5`