How to update /etc/pam.d/system-auth?

[yaoyansi]

Hi all

#Question1:
I'm hardening my system with this guidehttps://wiki.centos.org/HowTos/OS_Protection
But I'm not sure whether this guide is updated to CentOS7.

It says I should update /etc/pam.d/system-auth in this way:

Code: Select all

And now we need to update /etc/pam.d/system-auth

touch /var/log/tallylog
cat << 'EOF' > /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        required      pam_tally2.so deny=3 onerr=fail unlock_time=60

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     required      pam_tally2.so per_user

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=9 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=10
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
EOF

#Question2:
I'm following this guide https://highon.coffee/blog/security-har ... er-session,
it says:

Code: Select all

Max Password Login Attempts per Session
Set the amount of password reprompts per session, by editing the pam_pwquality.so statement in /etc/pam.d/system-auth to retry=3 or lower.

but my /etc/pam.d/system-auth doesn't has pam_pwquality.so statement at all. How should I add pam_pwquality.so statement?


#Question3
This guide https://highon.coffee/blog/security-har ... er-session also says:

Code: Select all

Set Deny For Failed Password Attempts
Blocks logins for failed authentication on accounts.
Add the following lines immediately below the pam_unix.so statement in AUTH section of both /etc/pam.d/system-auth and /etc/pam.d/password-auth:

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

But I don't know what these parameters means, even I check the man pam_faillock.

#Question4
If someone attempt to log onto my system from remote, and if he type the wrong password twice, I wish to forbidden his logon in 10 min. How to configure my system for this case?






Cheers
yao

[aks]

#Question1:
No question???

#Question2:
Example quality module use (pwquality replaces pam_cracklib in 7):
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

#Question3

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900

Basically means three attempts, you get locked out for 604800 (seconds I think) and these failures must occur within a 900 second window (well from memory anyway).

auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

As above.

#Question4
Change those parameters as above to suit.

Warning: Be very careful playing about with pam, it's quite easy to lock yourself out of the system!

Also, you're not supposed to mess about with system-auth/passwordd-auth etc., those are symlinks (usually pointing to the -ac file). The authconfig program will overwrite them.