-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathusers_groups.txt
63 lines (43 loc) · 2.37 KB
/
users_groups.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#!/bin/bash
# Set Maximum number of days a password may be used
sed -i "s/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/" /etc/login.defs
# Set Minimum number of days allowed between password changes to 5
sed -i "s/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 7/" /etc/login.defs
# Set Number of days warning given before a password expires
sed -i "s/^PASS_WARN_AGE.*/PASS_WARN_AGE 10/" /etc/login.defs
# Lock Inactive User Accounts after 30 days
useradd -D -f 30
# Prevent root-owned files from accidentally becoming accessible to non-privileged users
usermod -g 0 root
# Cracklib installation
apt -y install libpam-cracklib
# Set minimum password length
sed -i "s/minlen=[[:digit:]]\+/minlen=14/" /etc/pam.d/common-password
# Is username (straight or reversed) contained in the new password? reject it.
sed -i "s/\bdifok=3\b/& reject_username/" /etc/pam.d/common-password
# Password complexity class 4
sed -i "s/\bpam_cracklib.so\b/& minclass=4/" /etc/pam.d/common-password
sed -i "s/\breject_username\b/& dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1/" /etc/pam.d/common-password
# Reject passwords which contain more than 2 same consecutive characters
sed -i "s/\bminclass=4\b/& maxrepeat=2/" /etc/pam.d/common-password
# Remember last 24 passwords
sed -i "s/\bpam_unix.so\b/& remember=24/" /etc/pam.d/common-password
# Lock out accounts after 5 unsuccessful consecutive login attempts for 20 minutes
sed -i '/session.*optional.*pam_keyinit.so.*force.*revoke/a auth required pam_tally2\.so onerr=fail audit silent deny=5 unlock_time=1200/' /etc/pam.d/login
# Disallow non-local logins to privileged accounts
sed -i "/-:wheel:ALL EXCEPT LOCAL.*/s/^#//g" /etc/security/access.conf
# Increase the delay time between login prompts (10sec)
sed -i "s/delay=[[:digit:]]\+/delay=10000000/" /etc/pam.d/login
cp /etc/login.defs /etc/login.defs.bak
# Ensure minimum days between password changes is 7 or more
sed -i "s/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 7/" /etc/login.defs
# Ensure password expiration is 365 days or less
sed -i "s/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/" /etc/login.defs
# Ensure password expiration warning days is 7 or more
sed -i "s/^PASS_WARN_AGE.*/PASS_WARN_AGE 10/" /etc/login.defs
# Ensure permissions on /etc/gshadow- are configured
chown root:shadow /etc/gshadow-
chmod o-rwx,g-rw /etc/gshadow-
# Ensure permissions on /etc/shadow- are configured
chown root:shadow /etc/shadow-
chmod o-rwx,g-rw /etc/shadow-