Tuesday, September 24, 2013

Password Policy Rules in RHEL 6


Requirement: 
  • Minimum length Eight (8) characters with
  • At least 1 Upper-case Letter             
  • AND, at least 1 Lower-case Letter         
  • AND, at least 1 Special Character          
  • AND, at least 1 Digit                                                 
  • Maximum number of failed attempts before blocking account: Five (5)
  • History of old passwords that cannot be reused: Five (5)
  • Maximum duration of password validity: Six (6) months 
  • Minimum duration of validity: 24 hours: 


[root@deepak security]# cat /etc/login.defs |grep -v -n "^#" |grep -v "^$"
15:MAIL_DIR     /var/spool/mail
17:
25:PASS_MAX_DAYS        180
26:PASS_MIN_DAYS        1
27:PASS_MIN_LEN 8
28:PASS_WARN_AGE        1
29:
33:UID_MIN                        500
34:UID_MAX                      60000
35:
39:GID_MIN                        500
40:GID_MAX                      60000
41:
48:
54:CREATE_HOME  yes
55:
58:UMASK           077
59:
62:USERGROUPS_ENAB yes
63:
65:ENCRYPT_METHOD SHA512
66:


[root@deepak security]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        required      pam_tally2.so deny=5 unlock_time=36000 audit
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     required      pam_tally2.so reset
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=5 type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[root@deepak security]#




[root@deepak security]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_tally2.so deny=5
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_tally2.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=5 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[root@deepak security]#

To check the faillog & reset the user account


[root@deepak security]# pam_tally2 -u test
Login           Failures Latest failure     From
test                0
[root@deepak security]# pam_tally2 -u test --reset

Posted by at

No comments:

Post a Comment

Thanks for the comment

Subscribe to: Post Comments (Atom)