16 Systems ®
DocumentationMiscSoftware
Contact
All Rights Reserved.
| Requirement 8 - Assign a unique ID to each person with computer access | Control | Status | |
| 8.1 | Assign unique user ID to each user | Local user accounts are assigned unique user IDs and names. | |
| 8.2 | Authenticate all users with password, passphrase or two-factor authentication | Local terminal access requires password. OpenSSH access requires two-factor authentication. | |
| 8.3 | Require two-factor authentication for network level access | OpenSSH requires certificate (something you have) and password (something you know). | |
| 8.4 | Render passwords unreadable during transmission and storage | OpenSSH and Crypt. | |
| 8.5.1 | Control user management (addition, deletion and modification) | Business procedure, not a technical issue. | |
| 8.5.2 | Verify user identity before password reset | Business procedure, not a technical issue. | |
| 8.5.3 | Require unique initial password and force user to change upon first use | Business procedure, not a technical issue. | |
| 8.5.4 | Revoke access for terminated users | Business procedure, not a technical issue. | |
| 8.5.5 | Disable inactive user account after 90 days | Business procedure, not a technical issue. | |
| 8.5.6 | Only enable vendor accounts when needed | Business procedure, not a technical issue. | |
| 8.5.7 | Communicate password policy to users | Business procedure, not a technical issue. | |
| 8.5.8 | Prohibit shared passwords | Business policy, not a technical issue. | |
| 8.5.9 | Require password change every 90 days | login.defs (PASS_MAX_AGE 90 and PASS_WARN_DAYS 14) | |
| 8.5.10 | Passwords must be at least 7 characters long | pam - more coming soon | |
| 8.5.11 | Passwords must contain numeric and alphabetic characters | pam - more coming soon | |
| 8.5.12 | Password history (when changing passwords, users must not re-use last four passwords) | pam_unix | |
| 8.5.13 | User account lockout after six failures | pam_tally | |
| 8.5.14 | User account lockout duration min of 30 minutes | pam_tally | |
| 8.5.15 | Idle users (15 minute period) must re-enter password | I address this by forcing inactive users to logout and limiting the shells available to users. OpenSSH, ksh, bash, sh, csh. If you add additional shells to the base installation, you'll have to address each shell individually. It is best not to add more shells. | |
| 8.5.16 | Authenticate all database access | Database and application issue, not applicable to operating system. |