Template:User-Policy
From The Linux Source
- User and Root passwords must contain: 12 characters or greater, 1+ lowercase, 1+ uppercase, 1+ number, 1+ non-alphanumeric (neither letter or number, i.e. use punctuation or symbols).
- User password hash for that user from /etc/shadow must be sent to Head of Security Team for approval.
- New or changed root passwords must be sent to Head of Security Team for approval of proper password strength/policy (the actual password, not the password hash).
- Adding any user accounts or changing any user or app account information or password must be kept in sync with the master user database, and any changes must be submitted to the approval process. Systems not following this policy must be approved (by Head of Security Team).
- Master user database data will be synced across servers periodically and the local data/passwords/UIDs/GIDs changed and overwritten.
- Linux password encryption method must be set to SHA512, along with our minimal password parameter configuration policy (see Setting The Default Password Configuration section under User Management).
- Root logins must be disabled in ssh (PermitRootLogin no). However for automated processes/scripts, a locked-down ssh key must be used and PermitRootLogin must be set to 'without-password' (non-interactive login).
- Application and process accounts must not have a password, and must not be allowed to login directly. If a script or automated process needs access to the account, it must use a locked-down ssh key, or must be approved by Head of Security Team.
- Group or team logins are not permitted. Individuals must have their own accounts and only access the systems using that account (which can have group permissions or be allowed to sudo to an app or group account).