Dear All,
I am trying to implement some security policies like password, login, etc.
On googling regarding the security policies, I found them implemented through SELinux and PAM modules.
Can any one provide a pointer to the exact starting point for implementing the security policies.
Regards, Bhaskar.
On 6/23/06, Bhaskar abc.bhaskar@gmail.com wrote:
Dear All,
I am trying to implement some security policies like password, login, etc.
I think we need a bit more information on what you are meaning by security policies.. (a very large boat). Are you wanting to limit the amount of time a person is logged in, how hard his password must be? etc? Or something completely different
There are a lot of starting points, but a little more information is needed to make sure you are getting the correct path
Dear Stephen,
Thanks for responding.
My security policies include something as below:
setting minimum password length. setting number of retry attempts for the password. setting password history, etc.
In FC3, I tried by changing MIN_PASS_LEN=5 in /etc/login.defs files and also included minlen=5 parameter in /etc/pam.d/system-auth file.
Kindly suggest whether I am proceeding in the correct direction or not.
Regards, Bhaskar.
On 6/23/06, Stephen John Smoogen smooge@gmail.com wrote:
On 6/23/06, Bhaskar abc.bhaskar@gmail.com wrote:
Dear All,
I am trying to implement some security policies like password, login,
etc.
I think we need a bit more information on what you are meaning by security policies.. (a very large boat). Are you wanting to limit the amount of time a person is logged in, how hard his password must be? etc? Or something completely different
There are a lot of starting points, but a little more information is needed to make sure you are getting the correct path
-- Stephen J Smoogen. CSIRT/Linux System Administrator
-- Fedora-security-list mailing list Fedora-security-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-security-list
n 6/23/06, Bhaskar abc.bhaskar@gmail.com wrote:
Dear Stephen,
Thanks for responding.
My security policies include something as below:
setting minimum password length. setting number of retry attempts for the password. setting password history, etc.
In FC3, I tried by changing MIN_PASS_LEN=5 in /etc/login.defs files and also included minlen=5 parameter in /etc/pam.d/system-auth file.
THat is correct. You will also need to run through /etc/shadow and make sure that any account with passwords has the correct values in them also.
Password history you will need to use the pam_passwdqc moduel in pam.
Most security policies will ask for a minimum length of 7 characters (though 8 is preferred), and a change time of 90 days.
THat is correct. You will also need to run through /etc/shadow and make sure that any account with passwords has the correct values in them also.
What do you exactly mean by running through /etc/shadow.
Password history you will need to use the pam_passwdqc moduel in pam.
Most security policies will ask for a minimum length of 7 characters (though 8 is preferred), and a change time of 90 days.
As I mentioned, I changed /etc/pam.d/system-auth file and /etc/login.defs file(Made minimum password length as 9), but it is not reflecting when the user issues passwd command.
I will do some home work here and get back to you on Monday.
--
Stephen J Smoogen. CSIRT/Linux System Administrator
On 6/23/06, Bhaskar abc.bhaskar@gmail.com wrote:
THat is correct. You will also need to run through /etc/shadow and make sure that any account with passwords has the correct values in them also.
What do you exactly mean by running through /etc/shadow.
After you have gotten approval for a policy (or had a policy laid out) you would go through existing accounts and retrochange their ages.
for acct in `awk -F: '{print $1}'`; do chage -m 5 -M 90 ${acct} done
And then force everyone who already has an account to change their passwords at next setting.
Password history you will need to use the pam_passwdqc moduel in pam.
Most security policies will ask for a minimum length of 7 characters (though 8 is preferred), and a change time of 90 days.
As I mentioned, I changed /etc/pam.d/system-auth file and /etc/login.defs file(Made minimum password length as 9), but it is not reflecting when the user issues passwd command.
That I didn't see before in your message.
I will do some home work here and get back to you on Monday.
security@lists.fedoraproject.org
-
Bhaskar -
Stephen John Smoogen