Skip to content

Latest commit

 

History

History
557 lines (475 loc) · 35.9 KB

backup.md

File metadata and controls

557 lines (475 loc) · 35.9 KB
Raw

logo
Born2beroot

Tip

To exit the virtual machine and return to your original machine, press the control key on Mac and right ctrl on Windows.

Mandatory part

You must choose as an operating system either the latest stable version of Debian (no testing/unstable), or the latest stable version of Rocky. Debian is highly recommended if you are new to system administration. In this example, we are going to use Debian because it's easier.

Download the debian-xx.x.x-amd64-netinst.iso file from here.

  1. Create VM for your project inside the VirtualBox.

install

  1. Name your VM anything you want, and for the Folder: field, select the goinfre folder. It will automatically choose your user's folder. You have to do this because every student gets 10GB of memory on the server, and the goinfre folder uses local memory, which is necessary as we require more than 10GB. Leave ISO Image empty.

select

  1. Select 1GB of RAM (it should be enough) memory
  2. Select 30.8 GB for the simple BONUS part where we are going to set up partitions, and leave the VDI as the hard disk type. And press Finish. memory
  3. Settings -> Storage -> Controller (Empty) -> Optical drive -> Choose a disk file... Then select the debian.iso file you just downloaded and press OK. iso
  4. After all that, you can finally start your virtual machine. You should also change the display size if you want to see anything. scale
  5. Select "Install". install
  6. Select your language. language
  7. Select your location. If your location is not here, just select other, the continent and you will find it! location
  8. This instruction is from subject.pdf file, so name your hostname accordingly.
    The hostname of your virtual machine must be your login ending with 42 (e.g., wil42). You will have to modify this hostname during your evaluation. hostname
  9. Skip the domain name. domain_name
  10. Choose your root password. Write it down, you will need it later! root_pass1
  11. Re-enter your password. root_pass2
  12. Now, you need to create an additional user, as suggested in the subject.pdf. This user should have the same username as your intra username, but this time without adding 42, unlike what we did with the hostname.
    In addition to the root user, a user with your login as username has to be present. admin_user
  13. Create a password for the user you are setting up. For simplicity, you can use the same password as you did for the root. user_pass1
  14. Re-enter the password. user_pass2
  15. Select the partition. partition_selection
  16. Select Yes. partition_selection
  17. Select FREE SPACE to configurate. partition_selection
  18. Create a new partition. partition_selection
  19. First you have to create primary partition for boot. partition_selection
  20. Select Primary. partition_selection
  21. Select Beggining. partition_selection
  22. Select Mount point. "Use as: Ext4 journaling file system" should be automatically selected. partition_selection
  23. Select /boot. partition_selection
  24. Select Done setting up the partition. partition_selection
  25. Select Create a new partition partition_selection
  26. Write max. So you are taking all availabe space left and you will be creating encrypted partition later. partition_selection
  27. Select Logical. partition_selection
  28. Select Mount point. partition_selection
  29. Select Do not mount it. partition_selection
  30. Select Done setting up the partition. partition_selection
  31. Select Configure encrypted volumes. partition_selection
  32. Select Yes. partition_selection
  33. Select Create encrypteed volumes. partition_selection
  34. Select the second partition /dev/sda5 and click ENTER. First you have to ecrypt the partision and later we gonna partision the ecrypted drive like in the example of the bonus part. partition_selection
  35. Click Yes to confirm it. partition_selection
  36. Remeber this passphrase as you will need to use it every time you run your VM! Best advice would be to write it down. partition_selection
  37. Confirm your passphrase. partition_selection
  38. Select Configure the Logical Volume Manager. partition_selection
  39. Select Yes. partition_selection
  40. Select Create Volume group. partition_selection
  41. Write LVMGroup (like in the bonus example part). partition_selection
  42. Select Create logical volume. partition_selection
  43. Select the "Volume group" we just created LVMGroup. partition_selection
  44. First you should create volume root. So write root down. partition_selection
  45. Set root to be 10G. partition_selection
  46. Select Create logical volume. partition_selection
  47. Select LVMGroup. partition_selection
  48. Next volume you have to create is swap. So write swap down. partition_selection
  49. Set swap to be 2.3G. partition_selection
  50. Select Create logical volume. partition_selection
  51. Select LVMGroup. partition_selection
  52. Next volume you have to create is home. So write home down. partition_selection
  53. Set home to be 5G. partition_selection
  54. Select Create logical volume. partition_selection
  55. Select LVMGroup. partition_selection
  56. Next volume you have to create is var. So write var down. partition_selection
  57. Set var to be 3G. partition_selection
  58. Select Create logical volume. partition_selection
  59. Select LVMGroup. partition_selection
  60. Next volume you have to create is srv. So write srv down. partition_selection
  61. Set srv to be 3G. partition_selection
  62. Select Create logical volume. partition_selection
  63. Select LVMGroup. partition_selection
  64. Next volume you have to create is tmp. So write tmp down. partition_selection
  65. Set tmp to be 3G. partition_selection
  66. Select Create logical volume. partition_selection
  67. Select LVMGroup. partition_selection
  68. Next volume you have to create is var-log. So write var-log down. partition_selection
  69. Set var-log to be 4G. partition_selection
  70. Select Finish partition_selection
  71. First you have to configure home partition. Select it. partition_selection
  72. Select Use as: partition_selection
  73. Select Ext4 journaling file system. partition_selection
  74. Select Mount point:. partition_selection
  75. Select /home. partition_selection
  76. Select Done setting up the partition. partition_selection
  77. Now you have to set up root. Select it partition_selection
  78. Select Use as:. partition_selection
  79. Select Ext4 journaling file system. partition_selection
  80. Select Mount point: partition_selection
  81. Select the first option / - the root file system. partition_selection
  82. Select Done setting up the partition. partition_selection
  83. Now you need to configurate srv. Select it. partition_selection
  84. Select Use as:. partition_selection
  85. Select Ext4 journaling file system. partition_selection
  86. Select Mount point:. partition_selection
  87. Select /srv partition_selection
  88. Select Done setting up the partition. partition_selection
  89. Now you need to configurate swap. Select it. partition_selection
  90. Select Use as:. partition_selection
  91. Select swap area. partition_selection
  92. Select Done setting up the partition. partition_selection
  93. Now you need to configurate tmp. Select it. partition_selection
  94. Select Use as:. partition_selection
  95. Select Ext4 journaling file system. partition_selection
  96. Select Mount point:. partition_selection
  97. Select /tmp. partition_selection
  98. Select Done setting up the partition. partition_selection
  99. Now you need to configurate var. Select it. partition_selection
  100. Select Use as:. partition_selection
  101. Select Ext4 journaling file system. partition_selection
  102. Select Mount point:. partition_selection
  103. Select /var partition_selection
  104. Select Done setting up the partition. partition_selection
  105. Now you need to configurate var-log. Select it. partition_selection
  106. Select Use as:. partition_selection
  107. Select Ext4 journaling file system. partition_selection
  108. Select Mount point:. partition_selection
  109. Select Enter manually. partition_selection
  110. Write /var/log partition_selection
  111. Select Done setting up the partition. partition_selection
  112. Select Yes. partition_selection
  113. Select No. partition_selection
  114. Select region that is close to you. partition_selection
  115. Select deb.debian.org partition_selection
  116. Leave it empty and select Continue. partition_selection
  117. Select No. partition_selection
  118. Deselect everything and press Continue partition_selection
  119. Select Yes partition_selection
  120. Here you have to install GRUB boot loader. Select available drive.

    partition_selection
  121. Select Continue to finish the installation.

    partition_selection
  122. Log in to the machine and write the command: lsblk. Partition size is not indentical, but we don't care about size, we only care about the structure. partition_selection

⚙️ Configurations

SUDO

  1. Type su - to log in as root user. You will be asked to provide root password. If you were successful your username name will be changed to root@your_host_name.

  2. Type apt-get update.

    What is "apt-get update"?

    This command refreshes the local package index, which is essentially a catalog of available software packages. It fetches the latest information about the versions of packages available in the repositories. However, it doesn't make any changes to the actual software on your system.

  3. Type apt-get upgrade -y (-y flag means, that you confirm, that additional disk space will be used to install the upgrades).

    What is "apt-get upgrade"?

    This command, when executed after apt-get update, looks at the local package index to determine if there are newer versions of the packages currently installed on your system. If it finds newer versions, it then downloads and installs those updates. The upgrade process ensures that your installed software is brought up to the latest available versions.

  4. To install sudo, type apt install sudo

    What is "sudo"?

    sudo is a tool on your computer that grants you temporary superpowers for specific tasks. It's like having a key to unlock special doors when needed. When you use sudo, you're saying, "I need to do something important, and I have permission." Imagine it as having a special key that fits only one lock—the door to that particular task. Once you've completed that task, the temporary key disappears, ensuring that regular users can't accidentally or intentionally make big changes. These permissions are defined in a rule book called "/etc/sudoers." By default, the first person who sets up the computer has these permissions, and others can be given them later. So, sudo is a security measure, akin to having a special key that opens certain doors only when necessary, and only for those who should have access.

  5. Type usermod -aG sudo your_username.

    What is "usermod"?

    usermod is the tool used to modify user account properties. The -aG flags are options for "append" and "groups," indicating that we want to add the user to additional groups without removing them from existing ones. In this case, we are adding the user to the sudo group, which is typically associated with administrative or superuser privileges. Replace your_username with the actual username of the user you want to grant these privileges to. This command effectively empowers the specified user to perform administrative tasks using the sudo command. It's a concise way to enhance a user's access and control on the system.

  6. To check if it worked, type getent group sudo. Your user should be in the list.

    What is "getent"?

    getent means "get entries", so getent group sudo means, get information about the group named sudo.

  7. Now we have to add our user to sudoesrs file, so it could use sudo. The safe and correct way to do it is to use visudo command. Just type in the terminal visudo. Scroll down and after "#User privilege specification" add your user with all privilages

    visudo

    • When you do, press "control + x (or ctrl + x on windows)", then press "y" and then press "Enter" to save it.
    What is "var1=(var2:var3) var4 aka ALL=(ALL:ALL) ALL"?

    var1 This part specifies from where the user is allowed to execute commands with sudo.

    • Examples:
      • localhost: Allows the user to run commands with sudo only on the local machine.
        your_username localhost=(ALL:ALL) ALL
      • IP Address (e.g., 192.168.0.1): Allows the user to run commands with sudo only from the machine with the specified IP address.
        your_username 192.168.0.1=(ALL:ALL) ALL
      • Hostname from the Same Network (e.g., myserver): Allows the user to run commands with sudo only from the machine with the specified hostname on the same network.
        your_username myserver=(ALL:ALL) ALL
      • Specific Network (e.g., 192.168.0.0/24): Allows the user to run commands with sudo only from machines in the specified network range.
        your_username 192.168.0.0/24=(ALL:ALL) ALL
      • Any Host (using ALL): Allows the user to run commands with sudo from any host.
        your_username ALL=(ALL:ALL) ALL

    (var2:var3) (Run As User:Run As Group): This part specifies which user and group the allowed commands can be run as.

    • Examples:
      • (ALL:ALL): Allows the user to run commands with sudo as any user and any group.
        user1 ALL=(ALL:ALL) ALL
      • (john:admin): Allows the user to run commands with sudo as the user "john" and the group "admin." alice ALL=(john:admin) ALL
      • (:www-data): Allows the user to run commands with sudo with the group set to "www-data," but as any user.
        bob ALL=(:www-data) ALL
      • (ALL:admin): Allows the user to run commands with sudo as any user but with the group set to "admin."
        charlie ALL=(ALL:admin) ALL
        ( : ): Allows the user to run commands with sudo without specifying a particular user or group.
        user2 ALL=(:) ALL

    var4 This part specifies the commands or operations the user is allowed to run with sudo.

    • Examples:
      • /usr/bin/apt-get: Allows the user to run only the apt-get command with sudo.
        bob ALL=(ALL:ALL) /usr/bin/apt-get
      • /bin/ls: Allows the user to run only the ls command with sudo.
        alice ALL=(ALL:ALL) /bin/ls
      • /sbin/reboot: Allows the user to run only the reboot command with sudo.
        charlie ALL=(ALL:ALL) /sbin/reboot
      • /bin/chown, /usr/bin/apt-get: Specifies that John can run the chown command and the apt-get command with sudo.
        john ALL=(root:admin) /bin/chown, /usr/bin/apt-get

SSH

  1. Type sudo apt install openssh-server to enable SSH on the server. Enter your password if asked, when prompted, then press y to continue the installation.

  2. Type sudo systemctl status ssh to confirm, that SSH service is running.

    ssh-status

  3. Type sudo nano /etc/ssh/sshd_config to edit the port we gonna use for SSH.

  4. Change #Port 22 to Port 4242. port-22 port-4242

  5. Press command + x (or ctrl + x on windows) then press y and then enter to save it.

  6. Now we need to restart the SSH service so our changes take effect. Type sudo service ssh restart.

  7. Type sudo systemctl status ssh to see, that everything is correct and we are running on port 4242.

    port-4242-confirm

  8. If the port did not change, start again from step 2.

  9. Now we need open the 4242 port on VM. So turn off the server and click Settings -> Network -> Port Forwarding.

    vm-settings

  10. Click the screen button "New rule" and change Host Port and Guest Port to 4242.

    port-forwarding-4242

  11. When you done, save your changes and start the server again. Type sudo service sshd status to check if SSH service ir running.

  12. Open iTerm terminal (a normal terminal did not work for me) on your main machine and type ssh your_username@127.0.0.1 -p 4242 or ssh your_username@localhost -p 4242 to connect to your server via SSH.

UFW

  1. As per pdf documment provided, we have to install UFW. For this, type:
    sudo apt-get install ufw -y

    What is "UFW"?

    UFW (Uncomplicated Firewall) is a firewall management tool for Linux. It is not a standalone firewall but rather a user-friendly interface that simplifies the process of configuring and managing the underlying netfilter firewall, which is part of the Linux kernel.
    With UFW, users can easily define rules to allow or deny specific types of network traffic, such as allowing traffic on certain ports or blocking traffic from specific IP addresses. UFW translates these user-configured rules into the format understood by the netfilter firewall, making it more accessible for users who may not be familiar with the intricacies of manual firewall configurations using the command line.
    So, in essence, UFW acts as a convenient layer on top of the Linux netfilter firewall, providing an easier way for users to interact with and control their system's firewall settings.

  2. Type sudo ufw enable to active UFW.

    ufw-activate

  3. Type sudo ufw status to check status of the UFW.

    ufw-status

  4. Now we have to allow incoming connections to SSH service throught the firewall. Type sudo ufw allow ssh

    ufw-enableSSH

  5. We also need to open 4242 port, as per subject instructions. Type sudo ufw allow 4242

    ufw-enable4242

  6. Type ufw-status-finish

Questions you have to answer during evaluation:

  • How a virtual machine works.
    • A virtual machine (VM) is like a computer simulator. It's software that acts as a copycat of a physical computer, allowing you to run multiple operating systems on a single actual computer. The main idea is to hide the details of the computer's hardware and create a separate space where different operating systems can do their thing without interfering with each other. What's neat is that you can also decide how much of the computer's resources (like processing power and memory) you want to assign to each virtual machine.
  • Their choice of operating system.
    • You can simply say that you chose Debian because, in the subject, it was mentioned to be easier.
  • The basic differences between Rocky and Debian.
    • Debian, known for its stability and expansive software repositories (meaning, that Debian has a lot of different programs and apps ready for you to use. It's like a big collection of tools and software that you can easily get and install on your computer when you need them. So, Debian is like a treasure chest full of programs you can choose from for whatever you want to do on your computer.), is a versatile operating system with a strong community and a rich history. It offers a wide range of applications and packages, making it suitable for various computing needs. Debian's reputation for reliability and its open-source nature contribute to its popularity among users seeking a dependable and flexible operating system. In contrast, Rocky Linux serves as a free, open-source substitute for Red Hat Enterprise Linux, emphasizing stability and security for enterprise use. The significance of Red Hat compatibility lies in the fact that many businesses rely on applications and standards specifically designed for Red Hat systems. Choosing Rocky Linux provides a cost-effective way for organizations to maintain compatibility with Red Hat without the associated expenses, making it a practical choice for businesses with a Red Hat-oriented IT environment.
  • The purpose of virtual machines.
    • A virtual machine is like a computer inside your computer. It helps you do different things on your computer by creating a special space. This space acts like a separate computer, running its own programs and system. The main idea is to let you use various software or even different operating systems on one computer. For example, you can have a Windows virtual machine on a computer that mostly uses Linux. It's like having different computers in one, making things more flexible and letting you use diverse software without any problems.
  • If the evaluated student chose Debian: the difference between aptitude and apt, and what APPArmor is.
    • In Debian Linux, both Aptitude and Apt serve as tools for managing software packages, helping with tasks like installing, upgrading, and removing programs. Aptitude stands out with its text-based interface and advanced features that handle package dependencies and conflicts. On the other hand, Apt, short for "Advanced Package Tool," is a command-line tool known for its user-friendly approach to package management, making tasks like resolving dependencies straightforward. Apt, considered more accessible than its predecessor apt-get, efficiently automates package management for Debian-based systems while offering simplicity in its design.
    • AppArmor acts as a permissions and access control tool specifically designed for programs or applications on a Linux system. It defines and enforces policies that dictate what resources (like files, directories, and network services) a particular program is allowed to access and what operations it can perform. By setting up these security profiles, AppArmor helps to minimize the potential damage that could occur if a program were compromised or if it unintentionally tries to access or modify sensitive parts of the system. It's an additional layer of security that complements other security measures on a Linux system. Essentially, AppArmor enhances the control over the actions of individual programs, contributing to overall system security.
  • The student being evaluated must first explain the value and operation of sudo using examples of their choice.
    • sudo is a command-line tool that acts as a privilege escalation tool in Unix-like operating systems, including Linux. If your user is part of the sudo group and is listed in the sudoers file, you can use sudo to perform administrative tasks or tasks that require elevated privileges. Typical administrative tasks include updating the system, installing or removing software, modifying system configurations, and other actions that regular users don't have permission to do by default. The use of sudo helps maintain security by allowing specific users to temporarily gain superuser privileges for authorized actions, without having to log in as the root user all the time.
    • Logging in as the root user is discouraged because it grants unrestricted access and control over the entire system. When logged in as root, any command or action, intentional or accidental, can significantly impact the stability and security of the system. It increases the risk of making critical mistakes, such as deleting essential system files or installing malicious software without any barriers. The principle of least privilege recommends avoiding constant root access and instead using tools like sudo to grant elevated privileges only when necessary, promoting a more controlled and secure computing environment.

  • The student being evaluated must be able to explain to you basically what SSH is and the value of using it.

Project overview

  • The student being evaluated should explain to you simply:
    • How a virtual machine works.
    • Their choice of operating system.
    • The basic differences between Rocky and Debian.
    • The purpose of virtual machines.
    • If the evaluated student chose Rocky: what SELinux and DNF are.
    • If the evaluated student chose Debian: the difference between aptitude and apt and what APPArmor is. During the defense, a script must display information all every 10 minutes. Its operation will be checked in detail later.

Simple setup

  • Ensure that the machine does not have a graphical environment at launch. A password will be requested before attempting to connect to this machine. Finally, connect with a user with the help of the student being evaluated. This user must not be root. Pay attention to the password chosen, it must follow the rules imposed in the subject.
  • Check that the UFW service is started with the help of the evaluator.
  • Check that the SSH service is started with the help of the evaluator.
  • Check that the chosen operating system is Debian or Rocky with the help of the evaluator.

User

  • The subject requests that a user with the login of the student being evaluated is present on the virtual machine. Check that it has been added and that it belongs to the "sudo" and "user42" groups.
  • Make sure the rules imposed in the subject concerning the password policy have been put in place by following the following steps. First, create a new user. Assign it a password of your choice, respecting the subject rules. The student being evaluated must now explain to you how they were able to set up the rules requested in the subject on their virtual machine. Normally there should be one or two modified files. If there is any problem, the evaluation stops here.
  • Now that you have a new user, ask the student being evaluated to create a group named "evaluating" in front of you and assign it to this user. Finally, check that this user belongs to the "evaluating" group.
  • Finally, ask the student being evaluated to explain the advantages of this password policy, as well as the advantages and disadvantages of its implementation. Of course, answering that it is because the subject asks for it does not count.

Hostname and partitions

  • Check that the hostname of the machine is correctly formatted as follows: login42 (login of the student being evaluated).
  • Modify this hostname by replacing the login with yours, then restart the machine. If on restart, the hostname has not been updated, the evaluation stops here.
  • You can now restore the machine to the original hostname.
  • Ask the student being evaluated how to view the partitions for this virtual machine.
  • Compare the output with the example given in the subject. Please note: if the student evaluated makes the bonuses, it will be necessary to refer to the bonus example. This part is an opportunity to discuss the scores! The student being evaluated should give you a brief explanation of how LVM works and what it is all about.

SUDO

  • Check that the "sudo" program is properly installed on the virtual machine.
  • The student being evaluated should now show assigning your new user to the "sudo" group.
  • The subject imposes strict rules for sudo. The student being evaluated must first explain the value and operation of sudo using examples of their choice. In a second step, it must show you the implementation of the rules imposed by the subject.
  • Verify that the "/var/log/sudo/" folder exists and has at least one file. Check the contents of the files in this folder, You should see a history of the commands used with sudo. Finally, try to run a command via sudo. See if the file (s) in the "/var/log/sudo/" folder have been updated.

UFW / Firewalld

  • Check that the "UFW" (or "Firewalld" for rocky) program is properly installed on the virtual machine.
  • Check that it is working properly.
  • The student being evaluated should explain to you basically what UFW (or Firewalld) is and the value of using it.
  • List the active rules in UFW (or Firewalld). A rule must exist for port 4242.
  • Add a new rule to open port 8080. Check that this one has been added by listing the active rules.
  • Finally, delete this new rule with the help of the student being evaluated.
  • Verify that the SSH service only uses port 4242.
  • The student being evaluated should help you use SSH in order to log in with the newly created user. To do this, you can use a key or a simple password. It will depend on the student being evaluated. Of course, you have to make sure that you cannot use SSH with the "root" user as stated in the subject.

Script monitoring

The student being evaluated should explain to you simply:

  • How their script works by showing you the code.
  • What "cron" is.
  • How the student being evaluated set up their script so that it runs every 10 minutes from when the server starts. Once the correct functioning of the script has been verified, the student being evaluated should ensure that this script runs every minute. You can run whatever you want to make sure the script runs with dynamic values correctly. Finally, the student being evaluated should make the script stop running when the server has started up, but without modifying the script itself. To check this point, you will have to restart the server one last time. At startup, it will be necessary to check that the script still exists in the same place, that its rights have remained unchanged, and that it has not been modified.

Bonus

Check, with the help of the subject and the student being evaluated, the bonus points authorized for this project:

  • Setting up partitions is worth 2 points.
  • Setting up WordPress, only with the services required by the subject, is worth 2 points.
  • The free choice service is worth 1 point. Verify and test the proper functioning and implementation of each extra service. For the free choice service, the student being evaluated has to give you a simple explanation about how it works and why they think it is useful. Please note that NGINX and Apache2 are prohibited.

Questions from evaluation.

You should be able to explain:

  • How a virtual machine works.
  • Your choise of operating system.
  • The basic differences between Rocky and Debian.
  • The purpose of virtual machine.
  • If you chose Rocky: What is SELinux and DNF are.
  • If you chose Debian. The difference between aptitude and apt, and what APPArmor is.

What will be checked during the evaluation.

  • Ensure that the machine does not have a graphical environment at launch.
  • A password will be requested before attempting to connect to this machine. Finally, connect with a user with the help of the student being evaluated. This user must not be root. Pay attention to the password chosen, it must follow the rules imposed in the subject.
  • Check that the UFW service is started with the help of the evaluator.
  • Check that the SSH service is started with the help of the evaluator.
  • Check that the chosen operating system is Debian or Rocky with the help of the evaluator.
  • The user with your intra username have to be present on the virtual machine and it should belong to the sudo and user42 groups.
  • Check if password policy rules have been put in place for every user.

Evaluation process

SSH:

Password policy:

Requirements from the subject:

  • Password has to expire every 30 days.
  • After changing the password, users are required to wait for a minimum of 2 days before making any further modifications.
  • The user has to receive a warning message 7 days before their password expires.
  • The password must be 10 characters long and include at least one uppercase letter, one lowercase letter, and one number. Additionally, it must not contain more than 3 consecutive identical characters.
  • The password must not include the name of the user.
  • The following rule does not apply to the root password: The password must have at least 7 characters that are not part of the former password.
  • Your root password has to comply with this policy.

For the first 3, we have to modify the sudo nano /etc/login.defs.

Change the Password aging controls:
PASS_MAX_DAYS - 30 (Maximum number of days a passowrd may be used.)
PASS_MIN_DAYS - 2 (Minimum number of days allowed between passowrd changes.)
PASS_WARN_AGE - 7 (Number of days warning given before a pasword expires.)
sudo reboot to save changes.

For other requrements we are using pam_pwquality.
To install: sudo apt-get install libpam-pwquality
To change settings: sudo nano /etc/pam.d/common-password
Line to eddit: password requisite pam_pwquality.so retry=3
Change to: password requisite pam_pwquality.so retry=3 minlen=10 ucredit=-1 dcredit=-1 maxrepeat=3 reject_username difok=7 enforce_for_root