RH415 - ch05s03

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

SectionSection 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Modifying the PAM Configuration

Objectives

After completing this section, students should be able to change the existing PAM configuration and explain recommended practices for modifying and managing PAM configuration files.

Preparing for Configuration Update

Because PAM controls access to the system, an error in its configuration can have severe consequences. An administrator might accidentally provide too much system access, allowing access to users that should be denied. An incorrect configuration can also lock you out of the system; even the root user may be denied access.

To mitigate these issues, Red Hat recommends the following precautions:

Use the authconfig --savebackup=backupdir command to back up the PAM configuration.
```
[root@demo ~]# authconfig --savebackup=/root/pambackup
```
To restore the configuration, use the --restorebackup=backupdir option.
Open a root shell on an additional terminal and leave it open. If you lock yourself out of the system, you still have this open shell to fix the problem. Before closing this rescue terminal, confirm that the new PAM configuration works as expected. If you encounter any issues, do no reboot your system before fixing them.
Use the provided tools to configure PAM rather than manually modifying the files. The authconfig command has options to perform the most common configurations. Use its --help option to review the capabilities of this tool.

Using authconfig to Configure PAM

Administrators should use the authconfig tool to configure PAM whenever possible. authconfig provides a command-line tool as well as a graphical interface through the authconfig-gtk command. The authconfig-tui command provides a text-based interface but is now deprecated.

Administrators can also use authconfig to manage the Name Service Switch (NSS) to configure access to the user information databases.

The authconfig command works in two modes:

Update mode: Use authconfig with --update to update the configuration according to the configuration options you provide.
Test mode: Use authconfig with --test to print the configuration without applying it.

In update mode, authconfig modifies the /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac files. Recall that most of the PAM service configuration files include the system-auth and password-auth files. These two files are symbolic links to the system-auth-ac and password-auth-ac files.

[root@demo ~]# cd /etc/pam.d
[root@demo pam.d]# ls -l system-auth
lrwxrwxrwx. 1 root root 14 Mar 22 15:11 system-auth -> system-auth-ac

[root@demo pam.d]# ls -l password-auth
lrwxrwxrwx. 1 root root 16 Mar 22 15:11 password-auth -> password-auth-ac

This way, when authconfig updates its *-ac files, the configuration takes effect immediately.

Manually Configuring PAM

In most situations, administrators can rely on authconfig to configure PAM. For some specific configurations, however, you may need to edit the PAM configuration files manually.

Important

When editing a PAM configuration file, make sure that you make all the changes you need before saving the file. Because PAM immediately applies the modifications, a partial configuration may render your system inaccessible.

Deciding to configure PAM manually requires some precautions. For example, if you edit the system-auth file, which is a symbolic link to system-auth-ac, a subsequent call to authconfig overwrites your changes. There are two ways you can avoid this:

Configure the system to prevent authconfig from overwriting your configuration. Using authconfig has no effect anymore and you can only configure PAM manually.
Configure the system so that you can use both methods, authconfig and manual editing.

Only Allowing Manual Configuration

To prevent authconfig from overwriting your modifications, create a system-auth-local file and a password-auth-local file to use for manual configuration. You can copy the existing system-auth-ac and password-auth-ac files as a starting point. You can then recreate the system-auth and password-auth symbolic links and make them point to your local files.

[root@demo ~]# cd /etc/pam.d
[root@demo pam.d]# cp system-auth-ac system-auth-local       
[root@demo pam.d]# cp password-auth-ac password-auth-local
[root@demo pam.d]# rm system-auth password-auth              
[root@demo pam.d]# ln -s system-auth-local system-auth       
[root@demo pam.d]# ln -s password-auth-local password-auth
[root@demo pam.d]# ls -l system-auth password-auth
lrwxrwxrwx. 1 root root 19 Jul 17 07:24 password-auth -> password-auth-local
lrwxrwxrwx. 1 root root 17 Jul 17 07:24 system-auth -> system-auth-local

	Make a copy of the existing `system-auth-ac` and `password-auth-ac` files to use for manual configuration.
	Remove the symbolic links.
	Recreate the links to point to your custom `system-auth-local` and `password-auth-local` files.

Now you can edit the custom system-auth-local and password-auth-local files without risking an overwrite by authconfig. If you mistakenly uses authconfig, the command updates the system-auth-ac and password-auth-ac files, but this does not affect the current PAM configuration.

Allowing both Manual and authconfig Configuration

You might prefer to continue using authconfig but also allow manual configuration. This requires an extra step; create your own set of custom files for manual configuration, and include the *-ac files in those files.

[root@demo ~]# cd /etc/pam.d
[root@demo pam.d]# cp system-auth-ac system-auth-local       
[root@demo pam.d]# cp password-auth-ac password-auth-local
[root@demo pam.d]# rm system-auth password-auth              
[root@demo pam.d]# ln -s system-auth-local system-auth       
[root@demo pam.d]# ln -s password-auth-local password-auth
[root@demo pam.d]# ls -l system-auth password-auth
lrwxrwxrwx. 1 root root 19 Jul 17 07:24 password-auth -> password-auth-local
lrwxrwxrwx. 1 root root 17 Jul 17 07:24 system-auth -> system-auth-local
[root@demo pam.d]# vim system-auth-local                     
auth     include system-auth-ac
account  include system-auth-ac
password include system-auth-ac
session  include system-auth-ac
[root@demo pam.d]# vim password-auth-local
auth     include password-auth-ac
account  include password-auth-ac
password include password-auth-ac
session  include password-auth-ac

	Make a copy of the of the existing `system-auth-ac` and `password-auth-ac` files to use for manual configuration.
	Remove the symbolic links.
	Recreate the links to point to your custom `system-auth-local` and `password-auth-local` files.
	In you custom files, include the `*-ac` files.

You can now use the custom *-local files for manual configuration, but include the *-ac files for the configuration you do through authconfig.

References

For more information, refer to the Using authconfig chapter in the Red Hat Enterprise Linux 7 System-Level Authentication Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/system-level_authentication_guide/#authconfig-install

For more information, refer to the Account Locking section in the Red Hat Enterprise Linux 7 Security Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/#sect-Security_Guide-Workstation_Security-Account_Locking

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c