Linux User Acccount Security Settings: How to ??


Author : Sanjay K


How to enable Account Password History
===========================


Step 1 - Create /etc/security/opasswd file user and group should be root and permission 600/

Step 2 - open /etc/pam.d/system-auth file and put the remember=
[root@oc3716188470 pam.d]# cat /etc/pam.d/system-auth
#%PAM-1.0
auth       required     pam_shells.so
auth       required     pam_unix.so likeauth nullok try_first_pass
auth       required     pam_nologin.so
#
account    required     pam_unix.so
#
password   required     pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users
password   sufficient   pam_unix.so remember=8 nullok use_authtok md5 shadow remember=7
password   required     pam_deny.so
#
session    required     pam_limits.so
session    required     pam_unix.so
session    optional     pam_console.so
[root@oc3716188470 pam.d]#

==================================


How to enable Password Complexity
==================================
Open /etc/pam.d/system-auth and append this line my example say Forces users to use a password with a length of 8 characters, at least 1 lower-case, 1 upper-case, 2 digits and 1 special character.


password required pam_cracklib.so minlen=8 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1 difok=4

==================================


How to enable Account Lockout after 3 failed login.
==================================


Open /etc/pam.d/system-auth and append this line.

aauth       required     pam_tally.so onerr=fail no_magic_root

account     required      pam_tally.so deny=3 no_magic_root reset


The options used above are described below:

    onerr=fail

    If something strange happens, such as unable to open the file, this determines how the module should react.

    no_magic_root

    This is used to indicate that if the module is invoked by a user with uid=0, then the counter is incremented. The sys-admin should use this for            daemon-launched services, like telnet/rsh/login.

    deny=3The deny=3 option is used to deny access if tally for this user exceeds 3.
       
    reset

    The reset option instructs the module to reset count to 0 on successful entry.

=======================



How to enable Password Expiry
=======================


# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   90
PASS_MIN_DAYS   1
PASS_MIN_LEN    8
PASS_WARN_AGE   7



Blogger Tips and TricksLatest Tips And TricksBlogger Tricks