Rules Related To 'shadow-utils'

Component overview

Relevant packages:

Relevant groups:

None

Changelog:

No changes recorded.

Relevant rules:

Rule details

Set Account Expiration Following Inactivity

account_disable_post_pw_expiration

Description

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in /etc/default/useradd:

INACTIVE=$var_account_disable_post_pw_expiration
If a password is currently on the verge of expiration, then $var_account_disable_post_pw_expiration day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus $var_account_disable_post_pw_expiration day(s) could elapse until the account would be automatically disabled. See the useradd man page for more information.

Rationale

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.

Ensure Home Directories are Created for New Users

accounts_have_homedir_login_defs

Description

All local interactive user accounts, upon creation, should be assigned a home directory.

Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME parameter in /etc/login.defs to yes as follows:

CREATE_HOME yes

Rationale

If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.

Ensure the Logon Failure Delay is Set Correctly in login.defs

accounts_logon_fail_delay

Description

To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:

FAIL_DELAY $var_accounts_fail_delay

Rationale

Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack.

Set Password Maximum Age

accounts_maximum_age_login_defs

Description

To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line:

PASS_MAX_DAYS $var_accounts_maximum_age_login_defs
A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is $var_accounts_maximum_age_login_defs.

Rationale

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.

Set Password Minimum Age

accounts_minimum_age_login_defs

Description

To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line:

PASS_MIN_DAYS $var_accounts_minimum_age_login_defs
A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is $var_accounts_minimum_age_login_defs.

Rationale

Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.

Set Password Minimum Length in login.defs

accounts_password_minlen_login_defs

Description

To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following line:

PASS_MIN_LEN $var_accounts_password_minlen_login_defs


The DoD requirement is 15. The FISMA requirement is 12. The profile requirement is $var_accounts_password_minlen_login_defs. If a program consults /etc/login.defs and also another PAM module (such as pam_pwquality) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.

Rationale

Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.

Set Password Warning Age

accounts_password_warn_age_login_defs

Description

To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line:

PASS_WARN_AGE $var_accounts_password_warn_age_login_defs
The DoD requirement is 7. The profile requirement is $var_accounts_password_warn_age_login_defs.

Rationale

Setting the password warning age enables users to make the change at a practical time.

Ensure the Default Umask is Set Correctly in login.defs

accounts_umask_etc_login_defs

Description

To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows:

UMASK $var_accounts_user_umask

Rationale

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users.

Verify Group Who Owns lastlog Command

file_groupownership_lastlog

Description

To properly set the group owner of /var/log/lastlog, run the command:

$ sudo chgrp root /var/log/lastlog

Rationale

Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to attackers, thus compromising its confidentiality.

Verify Owner on lastlog Command

file_ownership_lastlog

Description

To properly set the owner of /usr/bin/lastlog, run the command:

$ sudo chown root /usr/bin/lastlog 

Rationale

Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to attackers, thus compromising its confidentiality.

Verify Permissions on lastlog Command

file_permissions_lastlog

Description

To properly set the permissions of /usr/bin/lastlog, run the command:

$ sudo chmod 0750 /usr/bin/lastlog

Rationale

Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to attackers, thus compromising its confidentiality.

Set Password Hashing Algorithm in /etc/login.defs

set_password_hashing_algorithm_logindefs

Description

In /etc/login.defs, add or update the following line to ensure the system will use $var_password_hashing_algorithm as the hashing algorithm:

ENCRYPT_METHOD $var_password_hashing_algorithm

Rationale

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult.