RH415 - ch05s02

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start pam-selecting

Instructions

Log in as the root user on the serverc machine.
1. Use the ssh student@serverc command to log in to the student user on the serverc host.
```
[student@workstation ~]$ ssh student@serverc
...output omitted...
[student@serverc ~]$
```
2. Use the sudo -i command to change to the root user. Use the student sudo password.
```
[student@serverc ~]$ sudo -i
[sudo] password for student: student
[root@serverc ~]#
```

List the available security profiles by using the authselect list command.

[root@serverc ~]# authselect list
- minimal	 Local users only for minimal installations
- sssd   	 Enable SSSD for system authentication (also for local users only)
- winbind	 Enable winbind for system authentication

List the available options and view the documentation for the minimal security profile.

Use the authselect list-features minimal command to list the available options for the minimal security profile.

[root@serverc ~]# authselect list-features minimal
with-altfiles
with-custom-aliases
with-custom-automount
with-custom-ethers
with-custom-group
with-custom-hosts
with-custom-initgroups
with-custom-netgroup
with-custom-networks
with-custom-passwd
with-custom-protocols
with-custom-publickey
with-custom-rpc
with-custom-services
with-custom-shadow
with-ecryptfs
with-faillock
with-mkhomedir
with-pamaccess
with-pwhistory
with-silent-lastlog
without-nullok

Use the authselect show minimal command to view the documentation for the minimal security profile.

[root@serverc ~]# authselect show minimal
Local users only for minimal installations
==========================================

Selecting this profile will enable local files as the source of identity
and authentication providers.

This profile can be used on systems that require minimal installation to
save disk and memory space. It serves only local users and groups directly
from system files instead of going through other authentication providers.
Therefore SSSD, winbind and fprintd packages can be safely removed.

Unless this system has strict memory and disk constraints, it is recommended
to keep SSSD running and use 'sssd' profile to avoid functional limitations.

AVAILABLE OPTIONAL FEATURES
+---------------------------+

with-faillock::
    Enable account locking in case of too many consecutive
    authentication failures.

with-mkhomedir::
...output omitted...

Select the minimal profile with the with-pwhistory option and verify the changes.

View the existing PAM configuration in the /etc/pam.d/system-auth file.

[root@serverc ~]# cat /etc/pam.d/system-auth
...output omitted...

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        sufficient                                   pam_unix.so nullok
auth        required                                     pam_deny.so

account     required                                     pam_unix.so

password    requisite                                    pam_pwquality.so
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so

Note

The /etc/pam.d/password-auth file is identical to the /etc/pam.d/system-auth file.

Use the authselect select minimal with-pwhistory command to apply the minimal security profile with the with-pwhistory additional option.

[root@serverc ~]# authselect select minimal with-pwhistory
Profile "minimal" was selected.
The following nsswitch maps are overwritten by the profile:
- aliases
- automount
- ethers
- group
- hosts
- initgroups
- netgroup
- networks
- passwd
- protocols
- publickey
- rpc
- services
- shadow

Use the authselect current command to verify that the security profile is applied.

[root@serverc ~]# authselect current
Profile ID: minimal
Enabled features:
- with-pwhistory

View the changes to the /etc/pam.d/system-auth file.

[root@serverc ~]# cat /etc/pam.d/system-auth
...output omitted...

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        sufficient                                   pam_unix.so nullok
auth        required                                     pam_deny.so

account     required                                     pam_unix.so

password    requisite                                    pam_pwquality.so
password    [default=1 ignore=ignore success=ok]         pam_localuser.so
password    requisite                                    pam_pwhistory.so use_authtok
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so

Return to the workstation machine.

[root@serverc ~]# logout
[student@serverc ~]$ logout
Connection to closed serverc closed.
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish pam-selecting

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299