RH415 - ch05s05

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

SectionSection 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Configuring Password Quality Requirements

Objectives

After completing this section, students should be able to implement password quality requirements using pam_pwquality and authconfig.

Describing the pam_pwquality Module

Many organizations require user passwords to comply with a particular set of rules, which often define the password length or the type of characters to use. On Red Hat Enterprise Linux, you can use PAM to enforce these security policies and recommended practices.

PAM uses the rules in the password management group when a user attempts to change their password through an open application session. The following examples show password management group rules from files in /etc/pam.d/:

[root@demo ~]# grep ^password /etc/pam.d/sshd
password   include      password-auth

[root@demo ~]# grep ^password /etc/pam.d/login
password   include      system-auth

Notice that these two types of login session use include calls to either system-auth or password-auth. Password rules in password-auth or system-auth are identical.

Inspect the /etc/pam.d/system-auth file.

[root@demo ~]# grep ^password /etc/pam.d/system-auth
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

Recall that PAM rules are parsed and executed top to bottom. When a user attempts to change their password, the first rule that PAM calls is the requisite pam_pwquality.so entry.

The pam_pwquality module takes the new password provided by the user, checks it against a dictionary in /usr/share/cracklib/, and checks it for patterns and easily guessed combinations. By default, this module expects passwords to be longer than six characters and a combination of upper- and lowercase letters, digits, and special characters. Because this module is called with a requisite controller, if the password is deemed not compliant, the password change immediately stops and control returns to the application which initiated the PAM call; no further PAM rules are inspected.

Note

The pam_pwquality module replaced pam_cracklib in Red Hat Enterprise Linux 7.

If the user passes the pam_pwquality check, PAM executes the sufficient pam_unix.so rule. In the password management group, pam_unix updates the user's password in a variety of back-end storage mechanisms, including /etc/passwd, /etc/shadow, or Network Information System (NIS).

Because the pam_unix rule uses the sufficient controller, if it is successful in updating the user's password, PAM closes and passes control back to the application that called it.

There is one last rule, the required pam_deny.so entry. PAM only checks this rule if the sufficient pam_unix.so rule fails for some reason to update the user's password. pam_deny always returns a failure result. This way the application knows there was an error when it called PAM. Because the pam_deny rule is required, PAM returns an overall failure to the application attempting to change the user's password.

Configuring the pam_pwquality Module

There are two ways to configure the pam_pwquality module:

Use module arguments to provide the entire configuration. This requires that you manually edit the requisite pam_pwquality.so rule in the PAM configuration files.
By editing the pam_pwquality configuration file, /etc/security/pwquality.conf. This is the recommended method because you do not have to touch at the PAM configuration files. However, some parameters cannot be specified this way.

The following parameters, set by default in the /etc/pam.d/system-auth and /etc/pam.d/password-auth files, cannot be specified in /etc/security/pwquality.conf. If you want to modify them, you need to edit the PAM configuration files.

try_first_pass: Before prompting the user for their password, pam_pwquality verifies if a previous module has already asked for it. If that is the case, pam_pwquality reuses this password.
local_users_only: pam_pwquality only verifies the password strength for local users defined in /etc/passwd.
retry=3: This setting gives the user three chances to provide a password that passes the module's tests.
authtok_type=: By default, pam_pwquality displays the "New password" and "Retype new password" prompts when asking for the new password. You can use authtok_type to customize these prompts. pam_pwquality inserts the value of authtok_type between "new" and "password." For example, setting authtok_type to Linux changes the prompts to "New Linux password" and "Retype new Linux password."

The other parameters control the requirements for the password complexity. You can specify them as arguments to the pam_pwquality module in the PAM configuration files, or more conveniently in the /etc/security/pwquality.conf file.

minlen: This is the the minimum length required for a password. By default, all characters contribute one to the overall length score. However, with the credit system an administrator can give some character types more value, thereby requiring fewer overall characters to meet the same length. This is explained in more detail below.
lcredit: This is the amount of credit lowercase characters contribute to password length. If you set this value to a negative number, it specifies the minimum number of lowercase characters required.
ucredit: This is the amount of credit uppercase characters contribute to password length. If you set this value to a negative number, it specifies the minimum number of uppercase characters required.
dcredit: This is the amount of credit digits contribute to password length. If you set this value to a negative number, it specifies the minimum number of digit characters required.
ocredit: This is the amount of credit other characters contribute to password length. Other characters are symbols and all the characters not included in lowercase, uppercase, and digit. If you set this value to a negative number, it specifies the minimum number of other characters required.

There are many different ways to combine the different length and complexity requirements with pam_pwquality. They depend on the security policy or password policy that your machines are required to comply with.

Configuring a Password Policy with Specific Character Class Requirements

A policy that requires a specific minimum password length, with specific numbers of characters per class, is easy to configure.

Consider the following example policy:

Passwords must be a minimum of eight characters in length.
Passwords must contain at least one uppercase character.
Passwords must contain at least two digits.
Passwords must contain at least one special character.

To implement this policy, edit the /etc/security/pwquality.conf file to set the following parameters:

[root@demo ~]# vim /etc/security/pwquality.conf
minlen = 8
lcredit = 0
ucredit = -1
dcredit = -2
ocredit = -1

Negative values indicate the minimum number of characters required for each class. Even though the policy does not specify anything regarding lowercase characters, you still need to set the lcredit parameter to 0. The default value for all those credit parameters is 1, and you need to specify suitable values for all parameters or pam_pwquality will not enforce the password policy correctly.

Explaining the Credit Mechanism

Password policies such as the previous one are widespread, but they are sometimes a source of frustration for the users who have to create and remember passwords with complex combinations of different classes of characters. Another option is to force much longer passwords but with fewer character class constraints. A shorter password can even be accepted if the user voluntarily uses special characters.

Note

A 2011 study conducted by Carnegie Mellon University in conjunction with the United States National Institute of Standards and Technology (NIST) found that requiring users to create longer passwords, with no additional requirements around complexity or variation of types of characters used in the passwords, produced passwords with more entropy that were easier for users to remember and create. Of Passwords and People: Measuring the Effect of Password-Composition Policies [http://www.ece.cmu.edu/~lbauer/papers/2011/chi2011-passwords.pdf]

The pam_pwquality credit mechanism is an implementation of that idea, and it is triggered when the credit parameters have positive values. In that situation, the minlen parameter is more like a quality level that the password must reach for the module to accept it:

The password earns one point for each character.
An additional credit is given for each lowercase character, up to the value of lcredit.
An additional credit is given for each uppercase character, up to the value of ucredit.
An additional credit is given for each digit, up to the value of dcredit.
An additional credit is given for each other character, up to the value of ocredit.

If the resulting score is equal to or above minlen, then the password is accepted.

With the following /etc/security/pwquality.conf configuration file, the table below gives some examples.

[root@demo ~]# cat /etc/security/pwquality.conf
minlen = 18
lcredit = 1
ucredit = 1
dcredit = 2
ocredit = 5

Password	Length	Credit	Status
`passwordlowercase`	17	length = 17 lowercase = +1 uppercase = 0 digit = 0 other = 0 Credit = 18	Pass
`WithFourUpperChr`	16	length = 16 lowercase = +1 uppercase = +1 digit = 0 other = 0 Credit = 18	Pass
`withaspecialch!`	15	length = 15 lowercase = +1 uppercase = 0 digit = 0 other = +1 Credit = 17	Fail
`!with-o?char.`	13	length = 13 lowercase = +1 uppercase = 0 digit = 0 other = +4 Credit = 18	Pass
`Sco:10+1=11`	11	length = 11 lowercase = +1 uppercase = +1 digit = +2 other = +3 Credit = 18	Pass

References

The pam_pwquality(8) and pwquality.conf(5) man pages.

For more information, refer to the Password Security section in the Red Hat Enterprise Linux 7 Security Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/#sec-Password_Security

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-b847083