RH415 - ch05s07

Configure system authentication with PAM to use SSSD for authentication, enforce a specified password complexity policy on password changes, and lock user accounts after a specified number of failed logins.

Outcomes

Apply an authselect security profile.
Configure accounts to lock after failed logins.
Configure password quality requirements.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start pam-review

Instructions

Log in to the serverd machine as the root user.
Use the ssh student@serverd command to log in to the serverd machine.
[student@workstation ~]$ ssh student@serverd ...output omitted... [student@serverd ~]$
Use the sudo -i command to change to the root user with the student sudo password.
[student@serverd ~]$ sudo -i [sudo] password for student: student [root@serverd ~]#

Apply the minimal security profile with the with-faillock additional option.

Use the authselect select minimal with-faillock command to select the minimal security profile with the with-faillock option.

[root@serverd ~]# authselect select minimal with-faillock
Profile "minimal" was selected.
The following nsswitch maps are overwritten by the profile:
- aliases
- automount
- ethers
- group
- hosts
- initgroups
- netgroup
- networks
- passwd
- protocols
- publickey
- rpc
- services
- shadow

Configure the pam_faillock module to lock an account after two failed attempts within a five-minute period and to unlock after five minutes.
Use a text editor to modify the /etc/security/faillock.conf configuration file to contain the following settings:
deny = 2 fail_interval = 300 unlock_time = 300
Configure the pam_pwquality module to use the password credit mechanism with the following requirements:
Field Value
Minimum password length or complexity 15
Minimum required lowercase characters 1
Credits for uppercase characters 2
Credits for digits 2
Credits for special characters 3
Use a text editor to modify the /etc/security/pwquality.conf configuration file to contain the following settings:
minlen = 15 lcredit = -1 ucredit = 2 dcredit = 2 ocredit = 3
Return to the workstation machine.
[root@serverd ~]# logout [student@serverd ~]$ logout Connection to closed serverd closed. [student@workstation ~]$

Field	Value
Minimum password length or complexity	15
Minimum required lowercase characters	1
Credits for uppercase characters	2
Credits for digits	2
Credits for special characters	3

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade pam-review

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish pam-review

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299