Change default passwd age and encryption configs
In order to comply with CIS Benchmark, the password minimum age should
be 1 day, maximum age should be no more than 365 days, inactive password
lock should be less than or equal to 45 days, and password encryption
should be set to SHA512.
This commit adds those requirements to the default user settings.
Test Plan:
PASS: Run build-pkgs -c -p shadow-utils-config.
PASS: Run build-image.
PASS: Run fresh install of AIO-SX with complete bootstrap and unlock of
the controller-0.
PASS: Run fresh install of AIO-DX with complete bootstrap and unlock of
controller-0 and controller-1.
PASS: Perform backup and restore and verify that the rules apply.
PASS: Run `chage -l sysadmin` after bootstrap and check if the password
expires 90 days in the future.
Story: 2011283
Task: 51443
Change-Id: Ic6e2d88d4317a565ea043caaac14e73b723171f3
Signed-off-by: Rodrigo Tavares <Rodrigo.DosSantosTavares@windriver.com>
This commit is contained in:
Rodrigo Tavares
Rodrigo dos Santos Tavares
parent
bd0b9e00db
commit
6969881a60
@ -3,5 +3,6 @@
|
||||
set -e
|
||||
|
||||
cp /usr/share/starlingx/login.defs /etc/login.defs
|
||||
cp /usr/share/starlingx/useradd /etc/default/useradd
|
||||
|
||||
#DEBHELPER#
|
||||
|
||||
@ -1,2 +1,3 @@
|
||||
clear_shadow_locks.service usr/lib/systemd/system
|
||||
login.defs usr/share/starlingx
|
||||
useradd usr/share/starlingx
|
||||
|
||||
@ -199,8 +199,8 @@ UMASK 022
|
||||
# PASS_MIN_LEN Minimum acceptable password length.
|
||||
# PASS_WARN_AGE Number of days warning given before a password expires.
|
||||
#
|
||||
PASS_MAX_DAYS 99999
|
||||
PASS_MIN_DAYS 0
|
||||
PASS_MAX_DAYS 90
|
||||
PASS_MIN_DAYS 1
|
||||
#PASS_MIN_LEN 5
|
||||
PASS_WARN_AGE 7
|
||||
|
||||
@ -308,7 +308,7 @@ CHFN_RESTRICT rwh
|
||||
# Note: If you use PAM, it is recommended to use a value consistent with
|
||||
# the PAM modules configuration.
|
||||
#
|
||||
#ENCRYPT_METHOD DES
|
||||
ENCRYPT_METHOD SHA512
|
||||
|
||||
#
|
||||
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
||||
|
||||
36
shadow-utils-config/source-debian/useradd
Normal file
36
shadow-utils-config/source-debian/useradd
Normal file
@ -0,0 +1,36 @@
|
||||
# Default values for useradd(8)
|
||||
#
|
||||
# The SHELL variable specifies the default login shell on your
|
||||
# system.
|
||||
# Similar to DSHELL in adduser. However, we use "sh" here because
|
||||
# useradd is a low level utility and should be as general
|
||||
# as possible
|
||||
SHELL=/bin/sh
|
||||
#
|
||||
# The default group for users
|
||||
# 100=users on Debian systems
|
||||
# Same as USERS_GID in adduser
|
||||
# This argument is used when the -n flag is specified.
|
||||
# The default behavior (when -n and -g are not specified) is to create a
|
||||
# primary user group with the same name as the user being added to the
|
||||
# system.
|
||||
# GROUP=100
|
||||
#
|
||||
# The default home directory. Same as DHOME for adduser
|
||||
# HOME=/home
|
||||
#
|
||||
# The number of days after a password expires until the account
|
||||
# is permanently disabled
|
||||
INACTIVE=45
|
||||
#
|
||||
# The default expire date
|
||||
# EXPIRE=
|
||||
#
|
||||
# The SKEL variable specifies the directory containing "skeletal" user
|
||||
# files; in other words, files such as a sample .profile that will be
|
||||
# copied to the new user's home directory when it is created.
|
||||
# SKEL=/etc/skel
|
||||
#
|
||||
# Defines whether the mail spool should be created while
|
||||
# creating the account
|
||||
# CREATE_MAIL_SPOOL=yes
|
||||
Loading…
x
Reference in New Issue
Block a user