User accounts administration

#1 · 09-08-2006 1:32pm #1

Hi All,

I have been presented with the following to make our servers compliant. Any help would be much appreciated. My OS is fedora core 4.

1. Examine password procedures and observe security personnel to confirm that first-time passwords for new users are set to a unique value per user and changed after first use.

I can only think of a manual way of making initial passwords unique. To force a change I am using the command chage -d 0 username.

Does anyone know of a way to ensure that initial passwords are not repeated?

2. Verify that user password parameters are set to require users to change passwords at least every 90 days

I am changing 'PASS_MAX_DAYS' in /etc/login.defs to 90, is this sufficient?

3. Verify that password parameters are set to require passwords to be at least seven characters long

Change 'PASS_MIN_LENGTH' in /etc/login.defs to 7.

4. Verify that passwords parameters are set to require passwords to contain both numeric and alphabetic characters

Ok, I don't have a clue on this one. Is there a configuration for pam_passwdqc that can be changed to enforce this?

5. Verify that password parameters are set to require that new passwords cannot be the same as the four previously used passwords

Any help at all here would be great!

Verify that password parameters are set to require that a user’s account is locked out after not more than six invalid logon attempts

I'm not sure how to set this up, I have tried a few things with pam_tally.so and faillog, but it keeps giving me unexpected results.

Verify that password parameters are set to require that once a user account is locked out, it remains locked for thirty minutes or until a system administrator resets the account.

I assume this is just faillog -l 1800 to lock for 30 mins...

I hope someone can help here....

Cheers,

Si

sicruise · 09-08-2006 5:18pm

Ok I have solved some of these issues myself...

1. Use a local application for generating a random password.

After creating the user run 'chage -d 0 username'

2. Run chage username and fill in appropriate details

3. Add minlen=7 to the pam_cracklib parameters in the password section of /etc/pam.d/system-auth

5. Add the following argument to pam_unix.so under password in the /etc/pam.d/system-auth file...

remember=4

e.g. password sufficient pam_unix.so remember=4

ref: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html

6. Add the following lines to /etc/pam.d/system-auth

auth required /lib/security/pam_tally.so no_magic_root deny=6 reset

account required /lib/security/pam_tally.so no_magic_root deny=6 reset

Use faillog to administor this.

7. 'faillog -l 1800'

The only problem now is that I can still login as a user even if faillog tells me that the account is locked...

Also point 4 above... I can't figure out how to force users to have at least an alphanumeric password...

ntlbell · 10-08-2006 12:03pm

Something like the below in /etc/pam.d/system-auth should do sort number 4

password requisite pam_cracklib.so lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1

Is this your homework?

sicruise · 10-08-2006 1:58pm

Haha no not homework... cheers for the help....

I managed to figure out a solution for all 7... here it is if anyone is interested...

1. Examine password procedures and observe security personnel to confirm that first-time passwords for new users are set to a unique value per user and changed after first use.

Use a local application for generating a random password.

After creating the user run 'chage -d 0 username'

2. Verify that user password parameters are set to require users to change passwords at least every 90 days

'chage -M 90 username'

3. Verify that password parameters are set to require passwords to be at least seven characters long

This is forced in point 5.

4. Verify that passwords parameters are set to require passwords to contain both numeric and alphabetic characters

Add the following line to /etc/pam.d/system-auth

password required pam_passwdqc.so min=disabled,disabled,disabled,disabled,7 similar=deny match=4

5. Verify that password parameters are set to require that new passwords cannot be the same as the four previously used passwords

Add the following argument to pam_unix.so under password in the /etc/pam.d/system-auth file...

remember=4

e.g. password sufficient pam_unix.so remember=4 *other parameters*

ref: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html

6. Verify that password parameters are set to require that a user’s account is locked out after not more than six invalid logon attempts

Add the following lines to /etc/pam.d/system-auth

auth required pam_tally.so onerr=fail deny=6 unlock_time=1800 no_magic_root

account required pam_tally.so no_magic_root

Use faillog to administor this.

To set the users maximum attempts use

faillog -m 6 -u user

To unlock the account

faillog -r -u user

or

pam_tally --user user --reset=0

During the lock period the user will not be able to access the server through ssh, also the root account cannot be locked out.

7. Verify that password parameters are set to require that once a user account is locked out, it remains locked for thirty minutes or until a system administrator resets the account.

'faillog -l 1800'

MunsterCycling · 10-08-2006 2:24pm

Sticky?

PhantomBeaker · 10-08-2006 4:11pm

MunsterCycling wrote:

Sticky?

Seconded. It's a very useful post/thread.

User accounts administration

Comments