客户公司SOX关于LINUX帐号的审计要求,及本人与redhat工程师的解决之道。
eric.wang
|
1. A unique user ID is required in combination with a password to access the system. |
|
2. Automatic password changing after 60 days where technically feasible. If not technically feasible, a compensating control is in place. |
|
3. Password minimum length of 8 characters or maximum length allowed by system when the allowable length is less than 8 characters. |
|
4. User IDs/Accounts suspended after 6 invalid logins if technically feasible. If not technically feasible, a compensating control is in place. |
|
5. Accounts inactive for 60 days are disabled if technically possible. If not technically possible, a compensating control is in place. |
|
6. Password history of 12 is enabled which prohibits the reuse of the last 12 passwords |
|
7. Following a new user's initial logon to the application, the user is prompted to change password. |
ericw...@gmail.com
For 2. Expired Setting
[root@localhost]# passwd -x 60 -w 10
For 1.Complexity Setting
Add the following lines to /etc/pam.d/passwd
password requisite pam_cracklib.so type
="Retype-3-At-least-8-letters-1-capital-1- character” retry=3
minlen=10 ucredit=1 ocredit=1
password required pam_unix.so use_authtok
Reference Documents
passwd manual
The Linux-PAM System Administrators' Guide
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html#toc6
ericw...@gmail.com
For 4:
http://kbase.redhat.com/faq/FAQ_80_4047.shtm
For 7:
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/s1-users-cmd-line.html
http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
Password "History"
pam_cracklib is capable of consulting a user's password "history" and
not allowing them to re-use old passwords. However, the functionality
for actually storing the user's old passwords is enabled via the
pam_unix module.
The first step is to make sure to create an empty /etc/security/opasswd
file for storing old user passwords. If you forget to do this before
enabling the history feature in the PAM configuration file, then all
user password updates will fail because the pam_unix module will
constantly be returning errors from the password history code due to
the file being missing.
Treat your opasswd file like your /etc/shadow file because it will end
up containing user password hashes (albeit for old user passwords that
are no longer in use):
touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd
Once you've got the opasswd file set up, enable password history
checking by adding the option "remember=<x>" to the pam_unix
configuration line in the /etc/pam.d/common-password file. Here's how
I have things set up on my Knoppix machine:
password required pam_cracklib.so retry=3 minlen=12 difok=4
password required pam_unix.so md5 remember=12 use_authtok
The value of the "remember" parameter is the number of old passwords
you want to store for a user. It turns out that there's an internal
maximum of 400 previous passwords, so values higher than 400 are all
equivalent to 400. Before you complain about this limit, consider that
even if your site forces users to change passwords every 30 days, 400
previous passwords represents over 30 years of password history. This
is probably sufficient for even the oldest of legacy systems.
Once you've enabled password history, the opasswd file starts filling
up with user entries that look like this:
hal:1000:<n>:<hash1>,<hash2>, ,<hashn>
The first two fields are the username and user ID. The <n> in the
third field represents the number of old passwords currently being
stored for the user this value is incremented by one every time a new
hash is added to the user's password history until <n> ultimately
equals the value of the "remember" parameter set on the pam_unix
configuration line. <hash1>,<hash2>, ,<hashn> are actually the MD5
password hashes for the user's old passwords.