Page 1 of 1

[SOLVED] CentOS-6.x equivalent to /etc/security/policy.conf

Posted: 2016/02/10 21:09:57
by warron.french
Is there a CentOS/Linux equivalent to the Solaris 10 SPARC file - /etc/security/policy.conf

This file allows the administrator to set many system-specific security specifications.

For example, there is a variable called CRYPT_ALGORITHMS_ALLOW

Here is a real-world example
CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6; where:

1 = BSD m5
2a = BSD Blowfish
md5 = SUN’s MD5
5 = sha-256, and of course
6 = sha-512

and if you remove 1,2a,md5 and 5 that would mean that any accounts in /etc/shadow with a $1 or $2a or $5 would not be allowed; only $6 = sha-512 would be allowed for valid password hashes on that system/

Also, in this file, among many other things you can set the CRYPT_DEFAULT variable; and on my server (as of recent changes required) I now have in that file:

Re: CentOS-6.x equivalent to /etc/security/policy.conf

Posted: 2016/02/12 19:20:46
by aks
Yes that offers more. There's not an quaivalent that offers all those things.
To set your algorithm for users look in /etc/sysoncfig/* ( I seems to recall t was something like useradd, but could be wrong). Anyway you set a specific algo., not a range of ("un-connected") algos.

Re: CentOS-6.x equivalent to /etc/security/policy.conf

Posted: 2016/02/12 21:56:37
by TrevorH
Worth reading man login.defs

Re: CentOS-6.x equivalent to /etc/security/policy.conf

Posted: 2016/02/16 19:40:36
by warron.french
Thanks to you both!

Re: CentOS-6.x equivalent to /etc/security/policy.conf

Posted: 2016/02/16 19:43:54
by warron.french
aks, getting back to you immediately, would the file in /etc/sysconfig be authconfig perchance?

TrevorH, I am looking into your suggestion now.

Re: CentOS-6.x equivalent to /etc/security/policy.conf

Posted: 2016/02/16 19:46:23
by warron.french
TrevorH, I found the reference in the man page on /etc/login.defs; thank you.

Does anyone know which decides:
1. /etc/login.defs or
2. /etc/sysconfig/authconfig

Does one take a higher precedence over the other?

Re: CentOS-6.x equivalent to /etc/security/policy.conf

Posted: 2016/02/18 18:32:58
by aks
I don't really know.
What I can say is this:

The original idea of the sysconfig/* subtree (which systemd is making in-roads to removing) is so that one can make local changes to a file that is not part of the RPM. So when you update a package (a RPM), the files that are included as part of the RPM do not conflict with locally modified items (all files in an RPM are MD5 hashed). So if you modify a file that is part of an RPM, when you updated the package, the new file would be named <original_filename>.rpmsave and would not be active. This is to stop RH from overwriting local changes - it's also the reason for the conf.d directories used all over the system.

So I'd guess sysconfig stuff would be more "preferred" - but as I say, I don't know and would have to experiment to find out (which I can't be bothered with doing right now....)

Re: CentOS-6.x equivalent to /etc/security/policy.conf

Posted: 2016/02/19 13:12:31
by warron.french
thanks for the reply.