To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in /etc/default/useradd:
INACTIVE=$var_account_disable_post_pw_expirationIf a password is currently on the verge of expiration, then $var_account_disable_post_pw_expiration day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus $var_account_disable_post_pw_expiration day(s) could elapse until the account would be automatically disabled. See the useradd man page for more information.
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
All local interactive user accounts, upon creation, should be assigned a home directory.
Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME
parameter in /etc/login.defs to yes as follows:
CREATE_HOME yes
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY $var_accounts_fail_delay
Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack.
To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line:
PASS_MAX_DAYS $var_accounts_maximum_age_login_defsA value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is $var_accounts_maximum_age_login_defs.
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
Setting the password maximum age ensures users are required to
periodically change their passwords. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise.
To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line:
PASS_MIN_DAYS $var_accounts_minimum_age_login_defsA value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is $var_accounts_minimum_age_login_defs.
Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password,
then the password could be repeatedly changed in a short period of time to
defeat the organization's policy regarding password reuse.
Setting the minimum password age protects against users cycling back to a
favorite password after satisfying the password reuse requirement.
To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following line:
PASS_MIN_LEN $var_accounts_password_minlen_login_defs
Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.
To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line:
PASS_WARN_AGE $var_accounts_password_warn_age_login_defsThe DoD requirement is 7. The profile requirement is $var_accounts_password_warn_age_login_defs.
Setting the password warning age enables users to make the change at a practical time.
To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK $var_accounts_user_umask
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users.
To properly set the group owner of /var/log/lastlog, run the command:
$ sudo chgrp root /var/log/lastlog
Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to attackers, thus compromising its confidentiality.
To properly set the owner of /usr/bin/lastlog, run the command:
$ sudo chown root /usr/bin/lastlog
Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to attackers, thus compromising its confidentiality.
To properly set the permissions of /usr/bin/lastlog, run the command:
$ sudo chmod 0750 /usr/bin/lastlog
Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to attackers, thus compromising its confidentiality.
In /etc/login.defs, add or correct the following line to ensure the system will use $var_password_hashing_algorithm as the hashing algorithm:
ENCRYPT_METHOD $var_password_hashing_algorithm
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.
If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
Using a stronger hashing algorithm makes password cracking attacks more difficult.