FollowScenario :-
To setup the following user policies to meet one of our clients corporate IT security policy.
1) Minimum Password length should be 8 .
2) Password should be expired after 90 days .
3) Restricting the use of previous passwords.
4) Lock the account after 5 login failures.
5) “sudo or su ” access is only for the mentioned accounts.
Enabling Password Aging
The following files and parameters in the table are used when a new account is created with the useradd command. These settings are recorded for each user account in the /etc/shadow file. Therefore, make sure to configure the following parameters before you create any user accounts using the useradd command:
/etc/login.defs PASS_MAX_DAYS 90 Maximum number of days a password is valid. /etc/login.defs PASS_MIN_DAYS 7 Minimum number of days before a user can change the password since the last change. /etc/login.defs PASS_MIN_LEN n/a This parameter does not work. It is superseded by the PAM module "pam_cracklib". See Enforcing Stronger Passwords for more information. /etc/login.defs PASS_WARN_AGE 7 Number of days when the password change reminder starts. /etc/default/useradd INACTIVE 14 Number of days after password expiration that account is disabled. /etc/default/useradd EXPIRE Account expiration date in the format YYYY-MM-DD.
To see the current password aging setting of a use
# chage -l username
Last password change : Jun 22, 2011
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Enforcing Stronger Passwords
The pam_cracklib module checks the password against dictionary words and other constraints.
The following example shows how to enforce the following password rules:
– Minimum length of password must be 8
– Minimum number of lower case letters must be 1
– Minimum number of upper case letters must be 1
– Minimum number of digits must be 1
– Minimum number of other characters must be 1
pam_cracklib.so
minlen=8
Minimum length of password is 8
pam_cracklib.so
lcredit=-1
Minimum number of lower case letters is 1
pam_cracklib.so
ucredit=-1
Minimum number of upper case letters is 1
pam_cracklib.so
dcredit=-1
Minimum number of digits is 1
pam_cracklib.so
ocredit=-1
Minimum number of other characters is 1
To setup these password restrictions, edit the /etc/pam.d/system-auth file and add/change the following pam_cracklib arguments highlighted in blue:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
Now verify that the new password restrictions work for new passwords. Simply login to a non-root account and change the password using the passwd command. Note that the above requirements are not enforced if you run the passwd command under root.
Restricting Use of Previous Passwords
The pam_unix module parameter remember can be used to configure the number of previous passwords that cannot be reused. And the pam_cracklib module parameter difok can be used to specify the number of characters hat must be different between the old and the new password.
we set PASS_MIN_DAYS to 7, which specifies the minimum number of days allowed between password changes. Hence, if we tell pam_unix to remember 26 passwords, then the previously used passwords cannot be reused for at least 6 months (26*7 days).
Here is an example. Edit the /etc/pam.d/system-auth file and add/change the following pam_cracklib and pam_unix arguments:
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=26 password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so
NOTE:
If the /etc/security/opasswd doesn’t exist, create the file.
# ls -l /etc/security/opasswd
-rw——- 1 root root 0 Dec 8 06:54 /etc/security/opasswd
Locking User Accounts After Too Many Login Failures
In the following example I will show how to lock only individual user accounts after too many failed su or login attempts.
Add the following two lines highlighted in blue to the /etc/pam.d/system-auth file as shown below:
auth required /lib/security/$ISA/pam_env.so auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root reset account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so
The first added line counts failed login and failed su attempts for each user. The default location for attempted accesses is recorded in /var/log/faillog.
The second added line specifies to lock accounts automatically after 5 failed login or su attempts (deny=5). The counter will be reset to 0 (reset) on successful entry if deny=n was not exceeded. But you don’t want system or shared accounts to be locked after too many login failures (denial of service attack). To exempt system and shared accounts from the deny=n parameter, I added the per_user parameter to the module. The per_user parameter instructs the module NOT to use the deny=n limit for accounts where the maximum number of login failures is set explicitly. For example:
# faillog -u apache -m -1
The faillog command with the option “-m -1” has the effect of not placing a limit on the number of failed logins. To instruct the module to activate the deny=n limit for this account again, run:
# faillog -u apache -m 0
By default, the maximum number of login failures for each account is set to 0 which instructs pam_tally to use the deny=n parameter.
Disable unwanted su access
Enabling su access for selected accounts will give an additional layer of security on your servers. I have used the following steps to enable this.
1) Create a user as member of Wheel group (root is a member of wheel group )
useradd -G wheel suadmin
password suadmin
2) Enable su access only for wheel group menbers
# Uncomment the following line in the file /etc/pam.d/su
auth required pam_wheel.so use_uid
Its better to take a back of this file before making any changes
Recent Comments