-
-
Notifications
You must be signed in to change notification settings - Fork 603
PAM Module
You can file an issue about it and ask that it be added.
Linux-PAM is a library that enables the local system administrator to choose how individual applications authenticate users. It offers multiple low-level authentication schemes into a high-level application programming interface (API).
Before start this chapter please see official RHEL documentation - Using Pluggable Authentication Modules (PAM).
Currently more used are the SHA-256 and SHA-512 based hashes, sha256crypt and sha512crypt, which are similar in structure to md5crypt but support variable amounts of iteration. They're marked with $5$ and $6$ respectively. sha512crypt ($6$) is what at least RedHat/CentOS and Debian (generally most modern distros) currently use by default.
# C2S/CIS: CCE-27104-9 (Medium)
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtokC2S/CIS: CCE-27104-9 (Medium)
This option provides the capability to lock out user accounts after a number of failed login attempts.
Locking out user accounts presents the risk of a denial-of-service attack.
Edit AUTH and ACCOUNT (for the last parameter) section of both /etc/pam.d/system-auth and /etc/pam.d/password-auth:
# C2S/CIS: CCE-26884-7 (Medium), CCE-27350-8 (Medium)
# Add the following line immediately before the pam_unix.so
auth required pam_faillock.so preauth silent deny=5 unlock_time=900 fail_interval=900
# Add the following line immediately after the pam_unix.so
auth [default=die] pam_faillock.so authfail deny=5 unlock_time=900 fail_interval=900
# Add the following line immediately before the pam_unix.so
account required pam_faillock.soC2S/CIS: CCE-26884-7 (Medium); CCE-27350-8 (Medium)
If you want, you can use a more restrictive configuration (I personally prefer this way):
auth required pam_faillock.so preauth silent deny=3 unlock_time=1800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=1800 fail_interval=900Other guides recommend setting the FAILLOG_ENAB and FAIL_DELAY params in /etc/login.defs configuration file. It's incorrect solution beacuse login.defs is no longer used by login, su and passwd (see man for login.defs(5)) unless you use pam_pwcheck.
Password policy will set how often an old password can be reused so do not allow users to reuse recent passwords.
Edit pam_unix.so or pam_pwhistory.so lines in /etc/pam.d/system-auth:
# C2S/CIS: CCE-26923-3 (Medium)
# For the pam_unix.so:
password sufficient pam_unix.so ...existing_options... remember=5
# For the pam_pwhistory.so:
password requisite pam_pwhistory.so ...existing_options... remember=5C2S/CIS: CCE-26923-3 (Medium)
OWASP (OTG-AUTHN-007) provide great password policy solutions (sorry for copy-paste but it's really amazing):
- What characters are permitted and forbidden for use within a password? Is the user required to use characters from different character sets such as lower and uppercase letters, digits and special symbols?
- How often can a user change their password? How quickly can a user change their password after a previous change? Users may bypass password history requirements by changing their password 5 times in a row so that after the last password change they have configured their initial password again.
- When must a user change their password? After 90 days? After account lockout due to excessive log on attempts?
- How often can a user reuse a password? Does the application maintain a history of the user's previous used 8 passwords?
- How different must the next password be from the last password?
- Is the user prevented from using his username or other account information (such as first or last name) in the password?
The Practical Linux Hardening Guide provides a high-level overview of the hardening GNU/Linux systems. It is not an official standard or handbook but it touches and use industry standards.