The /etc/shadow file contains the one-way cipher text passwords for each user defined in the /etc/passwd file. The command below sets the user and group ownership of the file to root.
The /etc/passwd file contains a list of all the valid userIDs defined in the system, but not the passwords. The command below sets the owner and group of the file to root.
File permission for '/etc/ssh/sshd_config' is set to appropriate values.
The minimum password age policy should be set appropriately.
The kernel runtime parameter "net.ipv6.conf.default.accept_ra" should be set to "0".
The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options.
* retr ...
The maximum password age policy should meet minimum requirements.
The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else.
Only SSH protocol version 2 connections should be permitted.
Root login via SSH should be disabled (and dependencies are met)
This test makes sure that '/etc/shadow' file permission is setted as appropriate. If the target file or directory has an extended ACL then it will fail the mode check.
The Set Lockout Time For Failed Password Attempts should be set correctly.