Red Hat Mandatory Encryption and Password Management Baseline Security (MBSS)

Red Hat Mandatory Encryption and Password Management Baseline Security (MBSS)

In today’s digital age, protecting sensitive data is paramount. Red Hat Enterprise Linux (RHEL) provides a robust foundation for security, but it’s essential to implement additional measures to safeguard your systems. This article will delve into the mandatory encryption and password management baseline security requirements for RHEL MBSS (Mandatory Baseline Security Standards). By adhering to these guidelines, you can significantly reduce the risk of unauthorized access, data breaches, and other security threats.

Authorities and Standards

The RHEL MBSS is a set of security best practices developed by Red Hat to ensure the integrity and confidentiality of RHEL systems. These guidelines align with industry standards such as NIST (National Institute of Standards and Technology), CIS (Center for Internet Security), and ISO/IEC 27001.

Why Encryption and Password Management Matter

Encryption is a crucial technique for protecting data in transit and at rest. By converting data into a scrambled format that can only be deciphered with a specific key, encryption prevents unauthorized access even if the data is intercepted.

Password management is equally essential. Strong, unique passwords are the first line of defense against unauthorized access. By implementing robust password policies, you can significantly reduce the risk of brute-force attacks and password guessing.

Mandatory Requirements

  1. Password Length and Complexity:
    • Minimum length: 8 characters or more
    • Complexity: At least one digit, one uppercase character, one special character, and one lowercase character
  2. Password Prompts and Retries:
    • Prompt for password if not available from previous PAM modules
    • Limit password creation retries to 3
  3. Password History and Aging:
    • Store password history to prevent reuse
    • Set a maximum password age (e.g., 60 days)
    • Require a minimum number of days between password changes (e.g., 7 days)
  4. Password Hashing Algorithm:
    • Use SHA-512 for strong hashing
  5. Password Expiration and Warnings:
    • Set password expiration warnings (e.g., 7 days)
    • Disable inactive accounts after a specified period (e.g., 30 days)
  6. Encryption:
    • Encrypt sensitive data both in transit and at rest
    • Use strong encryption algorithms (e.g., AES-256)

Benefits of Adhering to RHEL MBSS

  • Reduced risk of data breaches: Strong encryption and password management help protect sensitive data from unauthorized access.
  • Improved compliance: Adhering to RHEL MBSS can help organizations meet regulatory requirements and industry standards.
  • Enhanced system security: Implementing these measures strengthens the overall security posture of your RHEL system.
  • Increased user confidence: Users can have greater confidence in the security of their data when these practices are in place.

Details List of all Mandatory Encryption and Password Management Baseline Security for Red Hat Enterprise Linux (RHEL)

  • Password length should be configured to be 8 characters or more: The pam module checks the strength of passwords. Under the module, minlen checks for the minimum password length. If the password length is less, the iterations required by an attacker for guessing the password are less. This increases the risk of unauthorized access through attacks such as the brute force attack.
    • minlen=8 – password must be 8 characters or more
  • Password complexity should be configured according to the following:
    1) At least one digit
    2) At least one uppercase character
    3) At least one special character
    4) At least one lowercase character
  • The pam module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g., alphabet, numeric, other) and more.
    • dcredit = -1 – provide at least one digit
    • ucredit = -1 – provide at least one uppercase character
    • ocredit = -1 – provide at least one special character
    • lcredit = -1 – provide at least one lowercase character
  • Prompt user for password if password is not available from a previous stacked PAM module: The pam module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g., alphabet, numeric, other) and more.
    • try_first_pass – retrieve the password from a previous stacked PAM module. If not available,
  • Number of retries on password creation before sending back a failure should be configured to 3 or less: The pam module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g., alphabet, numeric, other) and more.
    • retry=3 – Allow 3 tries on password creation before sending back a failure
  • Password history parameter should be configured to 6 or more: The /etc/security/opasswd file stores the users’ old passwords and can be checked to ensure that users are not recycling recent passwords. Forcing users not to reuse their past passwords make it less likely that an attacker will be able to guess the password.
  • Ensure password hashing algorithm is SHA-512: The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords.
  • Maximum password age parameter should be restricted to less than 60 days: The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker’s window of opportunity.
  • Minimum days between password changes parameter should be configured to 7 or more: The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls.
  • Ensure password expiration warning days is 7 or more: The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days. Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered.
  • Ensure inactive password lock is 30 days or less: User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled. Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.
  • Ensure all users last password change date is in the past: All users should have a password change date in the past. If a users recorded password change date is in the future then they could bypass any set password expiration.
  • Ensure password fields are not empty: An account with an empty password field means that anybody may log in as that user without providing a password. All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user.

Persuasive Argument for Mandatory Compliance

While these requirements may seem stringent, they are essential for maintaining the security of your RHEL system. Failure to comply with these guidelines can have severe consequences, including:

  • Data Breaches: Unauthorized access to your system can lead to data breaches, exposing sensitive information to malicious actors.
  • Financial Loss: Data breaches can result in significant financial losses due to legal penalties, reputation damage, and operational disruptions.
  • Regulatory Violations: Non-compliance with security standards can lead to regulatory violations and legal consequences.
  • Loss of Trust: A compromised system can erode trust among users and stakeholders.

By mandating compliance with these password management best practices, you are taking a proactive step to protect your organization’s assets and reputation. It’s a small investment in time and effort that can yield significant benefits in terms of security and overall system health.

Conclusion

By following the mandatory encryption and password management guidelines outlined in RHEL MBSS, you can significantly improve the security of your RHEL systems. These measures are essential for protecting sensitive data and mitigating the risk of cyberattacks. By investing in strong security practices, you can build a more resilient and trustworthy digital environment.

Consistent enforcement of these guidelines, along with ongoing security assessments, is crucial for maintaining a secure RHEL infrastructure.

author avatar
roosho Senior Engineer (Technical Services)
I am Rakib Raihan RooSho, Jack of all IT Trades. You got it right. Good for nothing. I try a lot of things and fail more than that. That's how I learn. Whenever I succeed, I note that in my cookbook. Eventually, that became my blog. 
rooshohttps://www.roosho.com
I am Rakib Raihan RooSho, Jack of all IT Trades. You got it right. Good for nothing. I try a lot of things and fail more than that. That's how I learn. Whenever I succeed, I note that in my cookbook. Eventually, that became my blog. 

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here


Latest Articles

author avatar
roosho Senior Engineer (Technical Services)
I am Rakib Raihan RooSho, Jack of all IT Trades. You got it right. Good for nothing. I try a lot of things and fail more than that. That's how I learn. Whenever I succeed, I note that in my cookbook. Eventually, that became my blog.