Check Configuration of password remember #157
Conversation
and set default to 60 see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46 Signed-off-by: Maik Stuebner <[email protected]>
m41kc0d3
force-pushed
the
reuse-previous-passwords
branch
from
deddf31
to
109d01a
Compare
There was a problem hiding this comment.
Thank you @m41kc0d3 I added some comments and happy to discuss how we proceed?
controls/os_spec.rb
Outdated
| it { should exist } | ||
| it { should be_owned_by 'root' } | ||
| its('group') { should eq 'root' } | ||
| its(:content) { should match /^password requisite pam_pwhistory.so remember=60 use_authtok$/ } |
There was a problem hiding this comment.
This collects 60 passwords. I suggest to go with the CIS default of 5 and make this the default argument for this policy. You can than override the policy with 60 for your needs.
What do you think if we also split this into multiple pieces as CIS DIL 5.3 is doing?
|
|
||
| control 'os-14' do | ||
| impact 1.0 | ||
| title 'Check pam config - RedHat specific' |
There was a problem hiding this comment.
All controls that we are adding to the base line need to be applicable and tested on all major linux distributions.
There was a problem hiding this comment.
Hi @chris-rock,
in dev-sec/ansible-collection-hardening there is currently no configuration of this for other distributions and I am not the Debian master that can create them. So I only change some code in dev-sec/ansible-collection-hardening and create the missing test in this repo.
There was a problem hiding this comment.
Our code for PAM configuration on any non-RHEL based distribution is severely lacking.
I would propose to open an issue for this and going on with only RHEL support here.
Signed-off-by: Maik Stuebner <[email protected]>
Signed-off-by: Maik Stuebner <[email protected]>
and set default to 60
see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46
Public Telekom Security - Requirements