Set Password Strength Minimum Digit Characters
The pam_pwquality module's 'dcredit' parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the 'dcredit' setting in
Require Client SMB Packet Signing, if using smbclient
To require samba clients running 'smbclient' to use
packet signing, add the following to the '[global]' section
of the Samba configuration file, '/etc/samba/smb.conf':
'client signing = mandatory'
Requiring samba clients such as 'smbclient' to use packet
signing ensures they can
only communicate with servers that support packet signing.
Ensure auditd Collects System Administrator Actions
At a minimum the audit system should collect administrator actions
for all users and root. If the 'auditd' daemon is configured to use the
'augenrules' program to read audit rules during daemon startup (the default),
add the following line to a file with suffix '.rules' in the directory
'-w /etc/sudoers -p wa -k actions'
Configure Periodic Execution of AIDE
To implement a daily execution of AIDE at 4:05am using cron, add the following line to '/etc/crontab':
'05 4 * * * root /usr/sbin/aide --check'
AIDE can be executed periodically through other means; this is merely one example.
Configure LDAP Client to Use TLS For All Transactions
Configure LDAP to enforce TLS use. First, edit the file
'/etc/pam_ldap.conf', and add or correct the following lines:
Then review the LDAP server and ensure TLS has been configured.
Disable IPv6 Networking Support Automatic Loading
To disable support for ('ipv6') add the following line to
'/etc/sysctl.d/ipv6.conf' (or another file in
'net.ipv6.conf.all.disable_ipv6 = 1'
This disables IPv6 on all network interfaces as other services and system
functionality require the IPv6 stack loaded to work.