The Set Lockout Time For Failed Password Attempts should be set correctly.
The kernel runtime parameter "net.ipv6.conf.default.accept_ra" should be set to "0".
The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options.
* retr ...
The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else.
Only SSH protocol version 2 connections should be permitted.
Root login via SSH should be disabled (and dependencies are met)
File permission for '/etc/ssh/sshd_config' is set to appropriate values.
The minimum password age policy should be set appropriately.
The maximum password age policy should meet minimum requirements.
This test makes sure that '/etc/shadow' file permission is setted as appropriate. If the target file or directory has an extended ACL then it will fail the mode check.
The /etc/shadow file contains the one-way cipher text passwords for each user defined in the /etc/passwd file. The command below sets the user and group ownership of the file to root.
The /etc/passwd file contains a list of all the valid userIDs defined in the system, but not the passwords. The command below sets the owner and group of the file to root.