Account Passwords
Shielding System Accounts
Description
Accounts excluding user accounts are system accounts. System accounts cannot be used for logins or performing other operations. Therefore, system accounts must be shielded.
Implementation
Modify the shell of a system account to /sbin/nologin.
usermod -L -s /sbin/nologin $systemaccount
NOTE: $systemaccount indicates the system account.
Restricting Account Permissions on the su Command
Description
The su command is used to switch user accounts. To improve system security, only the user root and users in the wheel group can use the su command.
Implementation
Modify the /etc/pam.d/su file as follows:
auth required pam_wheel.so use_uid
Table 1 Configuration item in pam_wheel.so
Setting Password Complexity
Description
You can set the password complexity requirements by modifying the corresponding configuration file. You are advised to set the password complexity based on the site requirements.
Implementation
The password complexity is implemented by the pam_pwquality.so and pam_pwhistory.so modules in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files. You can modify the configuration items of the two modules to change the password complexity requirements.
Example
This section provides an example for configuring password complexity.
Password Complexity Requirements
Contains at least eight characters.
Contains at least three types of the following characters:
At least one lowercase letter
At least one uppercase letter
At least one digit
At least one space or one of the following special characters: ` ~ ! @ # $ % ^ & * ( ) - _ = + \ | [ { } ] ; : ' " , < . > / ?
Cannot be the same as an account name or the account name in reverse order.
Cannot be the last five passwords used.
Implementation
Add the following content to the first two lines of the password configuration item in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files:
password requisite pam_pwquality.so minlen=8 minclass=3 enforce_for_root try_first_pass local_users_only retry=3 dcredit=0 ucredit=0 lcredit=0 ocredit=0
password required pam_pwhistory.so use_authtok remember=5 enforce_for_root
Configuration Item Description
For details about the configuration items of pam_pwquality.so and pam_pwhistory.so, see Table 2 and Table 3, respectively.
Table 2 Configuration items in pam_pwquality.so
A password must contain at least three of the following types: uppercase letters, lowercase letters, digits, and special characters. | |
Table 3 Configuration items in pam_pwhistory.so
A password must be different from the last five passwords used. | |
Setting the Password Validity Period
Description
To ensure system security, you are advised to set the password validity period and notify users to change passwords before the passwords expire.
Implementation
The password validity period is set by modifying the /etc/login.defs file. Table 4 describes the hardening items. All hardening items in the table are in the /etc/login.defs file. You can directly modify the items in the configuration file.
Table 4 Configuration items in login.defs
NOTE: The login.defs file is used to set restrictions on user accounts, such as setting the maximum password validity period and maximum length. The configuration in this file is invalid for the user root. If the /etc/shadow file contains the same items, the /etc/shadow configuration takes precedence over the /etc/login.defs configuration. When a user attempts to log in after the password expires, the user will be informed of the password expiry and is required to change the password. If the user does not change the password, the user cannot access the system.
Setting Password Encryption Algorithms
Description
For system security, passwords cannot be stored in plaintext in the system and must be encrypted. The passwords that do not need to be restored must be encrypted using irreversible algorithms. Set the password encryption algorithm to SHA-512. This item has been set by default in openEuler. The preceding settings can effectively prevent password disclosure and ensure password security.
Implementation
To set the password encryption algorithm, add the following configuration to the /etc/pam.d/password-auth and /etc/pam.d/system-auth files:
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
Table 5 Configuration items in pam_unix.so
Locking an Account After Three Login Failures
Description
To ensure user system security, you are advised to set the maximum number of failed login attempts (three attempts are recommended) and the automatic unlocking time (300 seconds are recommended) for a locked account.
If an account is locked, any input is invalid but does not reset the locking countdown timer. Records of the user's invalid inputs are cleared once unlocked. The preceding settings protect passwords from being forcibly cracked and improve system security.
NOTE: By default, the maximum number of failed login attempts is 3 in openEuler. After an account is locked, the automatic unlock time is 60 seconds.
Implementation
The password complexity is set by modifying the /etc/pam.d/password-auth and /etc/pam.d/system-auth files. The maximum number of failed login attempts is set to 3, and the unlocking time after an account is locked is set to 300 seconds. The configuration is as follows:
auth required pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=300
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=300
auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=300
Table 6 Configuration items in pam_faillock.so
A user account will be locked after three failed login attempts. | |
A locked common user account is automatically unlocked after 300 seconds. | |
Hardening the su Command
Description
To enhance system security and prevent the environment variables of the current user from being brought into other environments when you run the su command to switch to another user, this item has been configured by default in openEuler. The PATH variable is always initialized when the su command is used to switch users.
Implementation
Modify the /etc/login.defs file. The configuration is as follows:
ALWAYS_SET_PATH=yes