Skip to content

Commit

Permalink
Merge pull request ComplianceAsCode#6539 from yuumasato/ANSSI_R18-pas…
Browse files Browse the repository at this point in the history 
…sword-robustness

Anssi R18 password robustness
  • Loading branch information
@matejak
matejak authored Jan 21, 2021
2 parents b12d9dc + 5503605 commit e7476fe
Show file tree
Hide file tree
Showing 4 changed files with 49 additions and 1 deletion.
45 changes: 44 additions & 1 deletion controls/anssi.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,50 @@ controls:
- id: R18
level: minimal
title: Administrator password robustness
# rules: TBD
notes: >-
The rules selected below establish a general password strength baseline of 100 bits,
inspired by DAT-NT-001 and the "Password Strenght Calculator"
(https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/).
The baseline should be reviewed and tailored to the system's use case and needs.
automated: partially
rules:
# Renew passwords every 90 days
- var_accounts_maximum_age_login_defs=90
- accounts_maximum_age_login_defs

# Ensure passwords with minimum of 18 characters
- var_password_pam_minlen=18
- accounts_password_pam_minlen
# Enforce password lenght for new accounts
- var_accounts_password_minlen_login_defs=18
- accounts_password_minlen_login_defs
# Require at Least 1 Special Character in Password
- var_password_pam_ocredit=1
- accounts_password_pam_ocredit
# Require at Least 1 Numeric Character in Password
- var_password_pam_dcredit=1
- accounts_password_pam_dcredit
# Require at Least 1 Uppercase Character in Password
- var_password_pam_ucredit=1
- accounts_password_pam_ucredit
# Require at Least 1 Lowercase Character in Password
- var_password_pam_lcredit=1
- accounts_password_pam_lcredit

# Lock out users after 3 failed authentication attempts within 15 min
- var_accounts_passwords_pam_faillock_fail_interval=900
- accounts_passwords_pam_faillock_interval
- var_accounts_passwords_pam_faillock_deny=3
- accounts_passwords_pam_faillock_deny
- accounts_passwords_pam_faillock_deny_root
# Automatically unlock users after 15 min to prevent DoS
- var_accounts_passwords_pam_faillock_unlock_time=900
- accounts_passwords_pam_faillock_unlock_time

# Do not reuse last two passwords
- var_password_pam_unix_remember=2
- accounts_password_pam_unix_remember

- id: R19
level: intermediary
Expand Down
2 changes: 2 additions & 0 deletions ...unts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ options:
12: 12
14: 14
15: 15
18: 18
20: 20
6: 6
7: 7
8: 8
Expand Down
1 change: 1 addition & 0 deletions linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ options:
"0": "0"
10: 10
24: 24
2: 2
4: 4
5: 5
default: 5
2 changes: 2 additions & 0 deletions ...nts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ options:
12: 12
14: 14
15: 15
18: 18
20: 20
6: 6
8: 8
default: 15
Expand Down

0 comments on commit e7476fe

Please sign in to comment.