msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
b2282d347501a134baec647b49a88a09e41045d537c09dde2053eefa8ee37a4d
CISS.debian.live.builder/config/hooks/live/9994_password_policy.chroot
Marc S. Weidner b2282d3475 V8.02.512.2025.05.30 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-05-30 00:28:39 +02:00

136 lines
5.3 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### NIST recommends at least eight characters but advises longer passphrases (e.g., 1264) for increased security.
### NIST SP 80063B, https://pages.nist.gov/800-63-3/sp800-63b.html
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak
chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak
cat << 'EOF' >| /etc/security/pwquality.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Current recommendations for '/etc/security/pwquality.conf' based on common best practices,
### including NIST SP 80063B, https://pages.nist.gov/800-63-3/sp800-63b.html
### and weighing usability against security.
### Configuration for systemwide password quality limits
### Defaults:
### Number of characters in the new password that must not be present in the
### old password.
difok = 4
### Length over complexity: Studies show that longer passphrases are significantly more
### resistant to brute-force and dictionary attacks. NIST recommends at least eight characters
### but advises longer passphrases (e.g., 1264) for increased security. Twenty characters strike a
### good balance between security and user convenience.
### Minimum acceptable size for the new password (plus one if
### credits are not disabled, which is the default). (See pam_cracklib manual.)
### Cannot be set to a lower value than 6.
minlen = 20
### dcredit = 0, ucredit = 0, lcredit = 0, ocredit = 0, minclass = 0
### NIST SP 80063B advises against rigid complexity rules (numbers, symbols, uppercase)
### because they can lead users to adopt predictable patterns (e.g., “Pa$$word!”).
### Length and dictionary checks are more effective.
### The maximum credit for having digits in the new password. If less than 0
### it is the minimum number of digits in the new password.
dcredit = 0
### The maximum credit for having uppercase characters in the new password.
### If less than 0, it is the minimum number of uppercase characters in the new
### password.
ucredit = 0
### The maximum credit for having lowercase characters in the new password.
### If less than 0, it is the minimum number of lowercase characters in the new
### password.
lcredit = 0
### The maximum credit for having other characters in the new password.
### If less than 0, it is the minimum number of other characters in the new
### password.
ocredit = 0
### The minimum number of required classes of characters for the new
### password (digits, uppercase, lowercase, others).
minclass = 0
### The maximum number of allowed consecutive same characters in the new password.
### The check is disabled if the value is 0.
maxrepeat = 2
### The maximum number of allowed consecutive characters of the same class in the
### new password.
### The check is disabled if the value is 0.
maxclassrepeat = 4
### Whether to check for the words from the passwd entry GECOS string of the user.
### The check is enabled if the value is not 0.
### gecoscheck = 0
### Whether to check for the words from the cracklib dictionary.
### The check is enabled if the value is not 0.
dictcheck = 1
### Whether to check if it contains the username in some form.
### The check is enabled if the value is not 0.
usercheck = 1
### Length of substrings from the username to check for in the password
### The check is enabled if the value is greater than 0, and the usercheck is enabled.
usersubstr = 3
### Whether the check is enforced by the PAM module and possibly other
### applications.
### The new password is rejected if it fails the check, and the value is not 0.
enforcing = 1
### Path to the cracklib dictionaries. The default is to use the cracklib default.
dictpath =
# Prompt user at most N times before returning with error. The default is 1.
retry = 3
# Enforces pwquality checks on the root user password.
# Enabled if the option is present.
enforce_for_root
# Skip testing the password quality for users that are not present in the
# /etc/passwd file.
# Enabled if the option is present.
local_users_only
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink