-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CIS Controls 5.3.* (PAM) #38
Comments
Thanks for bringing this to my attention, will look into it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On Ubuntu 16.04 LTS, I encountered several issues with the PAM configurations that may warrant review / confirmation. Tested this on a basic server configuration with base system OpenSSH installed (only).
Under the CIS controls for 5.3:
Since we are using pam-pwquality, you may want to install the linux package: apt-get install libpam-pwquality BEFORE copying files.
The template file (templates/common-passwd-CIS) copy command had no affect in my testing because the system file that you want to overwrite is actually: /etc/pam.d/common-password
The templates/command-passwd-CIS syntax is actually non-compliant with CIS control 5.3.3, which is expecting the module pam_pwhistory to be used. Also, the section added to the template following the "#CIS" comment did not behave as expected in my testing. I think a template config like the following may work better: (at least, it achieved my objectives and behaved as expected/desired for password resets for local users and from root)
The text was updated successfully, but these errors were encountered: