Setting up stronger password policy rules in LinuxIncreased password security is no longer an optional item in setting up a secure system. Many external organizations (such as PCI) are now mandating security policies that can have a direct effect on your systems. By default, the account and password restrictions enabled on a Linux box are minimal at best. To better secure your hosts and meet those requirements from external vendors and organizations, here’s a small how-to on setting up stronger password and account policies in Linux. This is targeted at RHEL so other distributions may or may not be 100% compatible.
As an example, let us assume that our security department has created an account security policy document. This document identifies both account and password restrictions that are now going to be required for all accounts both existing and new.
The document states that passwords must:
- Be at least 8 characters long.
- Use of at least one upper case character.
- Use of at least one lower case character.
- Use of at least one special character (!,@#$%, etc)
- Warn 7 days prior to expiration.
- Expire after 90 days
- Lock after 97 days.
redhat-config-usersGUI, you’re going to have to make the changes manually. Since our server systems don’t run X, we will be making the changes directly to the system without the help of the GUI.
In RHEL, changes are made in multiple locations. They are:
/etc/pam.d/system-authis the PAM file responsible for authentication and where we will make our first modifications. Inside
/etc/pam.d/system-auththere are entries based on a “type” that the rules apply to. As we are only discussing password rules, you will see a
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
pam_cracklibto meet our specifications we need to modify the line accordingly:
- Minimum of 8 characters:
- At least one upper case character:
- At least one lower case character:
- At least one special character:
/etc/pam.d/system-authwill now look like this:
#password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
# Password aging controls:# # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 90 PASS_MIN_DAYS 0 PASS_MIN_LEN 8 PASS_WARN_AGE 7
PASS_MIN_LENis also set here as well. Since we have been given some latitude on when to warn users we have chosen to warn users seven days prior to expiration. But our last item is curiously missing. Where do we set up the accounts so that after 97 days the account is locked out and requires a system administrator to unlock?
Believe it or not
useraddcontrols the initial locking of an account. Issuing a
useradd -Dwill show you the current default paramters that are used when useradd is invoked.
[root@host ~]# useradd -D GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes
INACTIVE=-1entry defines when an account will be deactivated. Inactive is defined as the, “number of days after a password has expired before the account will be disabled.” Our requirements state that the account should be disabled seven days after account expiration. To set this we can either:
useradd -D -f 7
/etc/default/useraddand change the
In the next installment I’ll show you how to make our modifications effective on existing user accounts…