Chapter 17
CIS benchmarks for CentOS 7
Skybox version 11.7.100
69
RECOMMENDATION
SCORED
DESCRIPTION
The following options are set in the
/etc/security/pwquality.conf
file:
l
minlen=14
: Password must be at least 14 characters
l
dcredit=-1
: Provide at least one digit
l
ucredit=-1
: Provide at least one uppercase
character
l
ocredit=-1
: Provide at least one special character
l
lcredit=-1
: Provide at least one lowercase character
Note: The values shown are sample values.
Rationale: Strong passwords protect systems from being
hacked through brute force methods.
5.4.4
ü
Ensure that the default user
umask
is
027
or more
restrictive. The default umask determines the permissions
of files created by users. The user creating the file has the
discretion of making their files and directories readable by
others via the
chmod
command. Users who want to permit
their files and directories to be readable by others by
default may choose a different default umask by inserting
the
umask
command into the standard shell configuration
files (
.profile
,
.bashrc
, and so on) in their home
directories.
Rationale: Setting a very secure default value for
umask
ensures that users make a conscious choice about their
file permissions. A default
umask
setting of
077
causes
files and directories created by users to not be readable by
any other user on the system. A
umask
of
027
would make
files and directories readable by users in the same Unix
group; a
umask
of
022
would make files readable by every
user on the system.
6.1.5 – 6.1.9
ü
Permission to user- and group-related files:
l
/etc/gshadow
l
/etc/passwd-
l
/etc/shadow-
l
/etc/group-
l
/etc/gshadow-
Rationale: It is critical to ensure that these files are
protected from unauthorized access. Although they are
protected by default, the file permissions could be changed
either inadvertently or through malicious actions.
