|
 |
2b7b16 |
diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml
|
|
|
2b7b16 |
index b2da2a4..29fa69f 100644
|
|
|
2b7b16 |
--- a/RHEL/6/input/system/accounts/pam.xml
|
|
|
2b7b16 |
+++ b/RHEL/6/input/system/accounts/pam.xml
|
|
|
2b7b16 |
@@ -472,12 +472,17 @@ and a second to use unlock_time and set it to a Value
|
|
|
2b7b16 |
<title>Set Deny For Failed Password Attempts</title>
|
|
|
2b7b16 |
<description>
|
|
|
2b7b16 |
To configure the system to lock out accounts after a number of incorrect login
|
|
|
2b7b16 |
-attempts using <tt>pam_faillock.so</tt>:
|
|
|
2b7b16 |
+attempts using <tt>pam_faillock.so</tt>, modify the content of both
|
|
|
2b7b16 |
+<tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
|
|
|
2b7b16 |
|
|
|
2b7b16 |
-Add the following lines immediately below the <tt>pam_unix.so</tt> statement in <tt>AUTH</tt> section of
|
|
|
2b7b16 |
-both <tt>/etc/pam.d/system-auth</tt> and /etc/pam.d/password-auth:
|
|
|
2b7b16 |
-auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=900
|
|
|
2b7b16 |
-auth required pam_faillock.so authsucc deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=900
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
+ add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
|
|
|
2b7b16 |
+auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+ add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
|
|
|
2b7b16 |
+auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+ add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
|
|
|
2b7b16 |
+account required pam_faillock.so
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
</description>
|
|
|
2b7b16 |
<ocil clause="that is not the case">
|
|
|
2b7b16 |
To ensure the failed password attempt policy is configured correctly, run the following command:
|
|
|
2b7b16 |
@@ -497,11 +502,17 @@ prevents direct password guessing attacks.
|
|
|
2b7b16 |
<title>Set Lockout Time For Failed Password Attempts</title>
|
|
|
2b7b16 |
<description>
|
|
|
2b7b16 |
To configure the system to lock out accounts after a number of incorrect login
|
|
|
2b7b16 |
-attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>:
|
|
|
2b7b16 |
+attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>,
|
|
|
2b7b16 |
+modify the content of both <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
|
|
|
2b7b16 |
|
|
|
2b7b16 |
-Add the following lines immediately below the <tt>pam_env.so</tt> statement in <tt>/etc/pam.d/system-auth</tt>:
|
|
|
2b7b16 |
-auth [default=die] pam_faillock.so authfail deny=3 unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=900
|
|
|
2b7b16 |
-auth required pam_faillock.so authsucc deny=3 unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=900
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
+ add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
|
|
|
2b7b16 |
+auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+ add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
|
|
|
2b7b16 |
+auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+ add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
|
|
|
2b7b16 |
+account required pam_faillock.so
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
</description>
|
|
|
2b7b16 |
<ocil clause="that is not the case">
|
|
|
2b7b16 |
To ensure the failed password attempt policy is configured correctly, run the following command:
|
|
|
2b7b16 |
@@ -523,12 +534,16 @@ situations.
|
|
|
2b7b16 |
<title>Set Interval For Counting Failed Password Attempts</title>
|
|
|
2b7b16 |
<description>
|
|
|
2b7b16 |
Utilizing <tt>pam_faillock.so</tt>, the <tt>fail_interval</tt> directive configures the system to lock out accounts after a number of incorrect login
|
|
|
2b7b16 |
-attempts.
|
|
|
2b7b16 |
+attempts. Modify the content of both <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
|
|
|
2b7b16 |
|
|
|
2b7b16 |
-Add the following <tt>fail_interval</tt> directives to <tt>pam_faillock.so</tt> immediately below the <tt>pam_env.so</tt> statement in
|
|
|
2b7b16 |
-<tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt>:
|
|
|
2b7b16 |
-auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
-auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
+ add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
|
|
|
2b7b16 |
+auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+ add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
|
|
|
2b7b16 |
+auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+ add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
|
|
|
2b7b16 |
+account required pam_faillock.so
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
</description>
|
|
|
2b7b16 |
<ocil clause="that is not the case">
|
|
|
2b7b16 |
To ensure the failed password attempt policy is configured correctly, run the following command:
|
|
|
2b7b16 |
diff --git a/RHEL/7/input/system/accounts/pam.xml b/RHEL/7/input/system/accounts/pam.xml
|
|
|
2b7b16 |
index f5d9cdf..e6bcd60 100644
|
|
|
2b7b16 |
--- a/RHEL/7/input/system/accounts/pam.xml
|
|
|
2b7b16 |
+++ b/RHEL/7/input/system/accounts/pam.xml
|
|
|
2b7b16 |
@@ -498,12 +498,17 @@ and a second to use unlock_time and set it to a Value
|
|
|
2b7b16 |
<title>Set Deny For Failed Password Attempts</title>
|
|
|
2b7b16 |
<description>
|
|
|
2b7b16 |
To configure the system to lock out accounts after a number of incorrect login
|
|
|
2b7b16 |
-attempts using <tt>pam_faillock.so</tt>:
|
|
|
2b7b16 |
+attempts using <tt>pam_faillock.so</tt>, modify the content of both
|
|
|
2b7b16 |
+<tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
|
|
|
2b7b16 |
|
|
|
2b7b16 |
-Add the following lines immediately below the <tt>pam_unix.so</tt> statement in <tt>AUTH</tt> section of
|
|
|
2b7b16 |
-both <tt>/etc/pam.d/system-auth</tt> and /etc/pam.d/password-auth:
|
|
|
2b7b16 |
-auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
-auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
+ add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
|
|
|
2b7b16 |
+auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+ add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
|
|
|
2b7b16 |
+auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+ add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
|
|
|
2b7b16 |
+account required pam_faillock.so
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
</description>
|
|
|
2b7b16 |
<ocil clause="that is not the case">
|
|
|
2b7b16 |
To ensure the failed password attempt policy is configured correctly, run the following command:
|
|
|
2b7b16 |
@@ -523,11 +528,17 @@ prevents direct password guessing attacks.
|
|
|
2b7b16 |
<title>Set Lockout Time For Failed Password Attempts</title>
|
|
|
2b7b16 |
<description>
|
|
|
2b7b16 |
To configure the system to lock out accounts after a number of incorrect login
|
|
|
2b7b16 |
-attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>:
|
|
|
2b7b16 |
+attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>,
|
|
|
2b7b16 |
+modify the content of both <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
|
|
|
2b7b16 |
|
|
|
2b7b16 |
-Add the following lines immediately below the <tt>pam_env.so</tt> statement in <tt>/etc/pam.d/system-auth</tt>:
|
|
|
2b7b16 |
-auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
-auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
+ add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
|
|
|
2b7b16 |
+auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+ add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
|
|
|
2b7b16 |
+auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+ add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
|
|
|
2b7b16 |
+account required pam_faillock.so
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
</description>
|
|
|
2b7b16 |
<ocil clause="that is not the case">
|
|
|
2b7b16 |
To ensure the failed password attempt policy is configured correctly, run the following command:
|
|
|
2b7b16 |
@@ -549,12 +560,16 @@ situations.
|
|
|
2b7b16 |
<title>Set Interval For Counting Failed Password Attempts</title>
|
|
|
2b7b16 |
<description>
|
|
|
2b7b16 |
Utilizing <tt>pam_faillock.so</tt>, the <tt>fail_interval</tt> directive configures the system to lock out accounts after a number of incorrect login
|
|
|
2b7b16 |
-attempts.
|
|
|
2b7b16 |
+attempts. Modify the content of both <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
|
|
|
2b7b16 |
|
|
|
2b7b16 |
-Add the following <tt>fail_interval</tt> directives to <tt>pam_faillock.so</tt> immediately below the <tt>pam_env.so</tt> statement in
|
|
|
2b7b16 |
-<tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt>:
|
|
|
2b7b16 |
-auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
-auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
+ add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
|
|
|
2b7b16 |
+auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+ add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
|
|
|
2b7b16 |
+auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
|
|
|
2b7b16 |
+ add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
|
|
|
2b7b16 |
+account required pam_faillock.so
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
</description>
|
|
|
2b7b16 |
<ocil clause="that is not the case">
|
|
|
2b7b16 |
To ensure the failed password attempt policy is configured correctly, run the following command:
|