|
Size: 2335
Comment:
|
← Revision 10 as of 2022-11-18 04:19:00 ⇥
Size: 2340
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| Line 8: | Line 7: |
| {{{ tar -zcf ~/etc_2022-11-18.tar.gz /etc/ }}} = Step 2: 增加或修改/etc/pam.d目录中的system-auth文件为指定的参数 = 首先确认当前环境系统版本, 根据版本选择对应的模块/配制. |
|
| Line 9: | Line 13: |
| tar -zcf ~/etc_$(date +%F).tar.gz /etc/ = Step 2: 增加或修改/etc/pam.d目录中的system-auth文件为指定的参数 = 首先确认当前环境系统版本 '' cat /etc/*release '' ## RHEL6.X 配制 == |
''' cat /etc/*release ''' == RHEL6.X 配制 == |
| Line 16: | Line 16: |
| sed -i.$(date +%F)-bak '/pam_cracklib/s#password#\#password#g' /etc/pam.d/system-auth | sed -i.2022-11-18-bak '/pam_cracklib/s#password#\#password#g' /etc/pam.d/system-auth |
| Line 19: | Line 19: |
| ### $(date +%F) added ### | ### 2022-11-18 added |
| Line 26: | Line 26: |
| ## RHEL7.X 配制 == | == RHEL7.X 配制 == |
| Line 28: | Line 28: |
| sed -i.$(date +%F)-bak '/pam_pwquality/s#password#\#password#g' /etc/pam.d/system-auth | sed -i.2022-11-18-bak '/pam_pwquality/s#password#\#password#g' /etc/pam.d/system-auth |
| Line 31: | Line 31: |
| ### $(date +%F) added ### | ### 2022-11-18 added |
| Line 42: | Line 42: |
| ### $(date +%F) added ### | ### 2022-11-18 added |
| Line 56: | Line 56: |
| = Step 4: 查看配制文件 = | = Step 4: 修改日志保留周期 = 由默认的4周改为26 |
| Line 58: | Line 59: |
| {{{ sed -i.2022-11-18-bak 's#rotate 4#rotate 26#' /etc/logrotate.conf }}} = Step 5: 修改Linux用户登录超时(闲置时间) = 本次配制选择全局属性 {{{ sed -i.2022-11-18-bak '$aexport TMOUT=900' /etc/profile }}} = Step 6: 查看配制文件 = |
|
| Line 62: | Line 74: |
| = Step 5: 验证配制结果 = | cat /etc/logrotate.conf |
| Line 64: | Line 76: |
| == 修改用户密码 == 预期结果: 密码需要满足复杂性要求,否则无法设置或修改用户密码 ~# passwd root ~# passwd OTHER-USERNAME == 从显示器或远程(KVM/CONSOLE)控制台登录 == 预期结果: 使用root用户从LOCAL登录,尝试失败超过5次之后root用户锁定, 并在5分钟之后自动恢复为可登录状态. |
tail /etc/profile |
| Line 78: | Line 81: |
| * man pam_cracklib |
根据要求修改RHEL/CentOS Linux 6-7中的用户策略
Contents
Step 1: 备份etc目录
执行修改操作之前, 建议备份/etc相关文件.
tar -zcf ~/etc_2022-11-18.tar.gz /etc/
Step 2: 增加或修改/etc/pam.d目录中的system-auth文件为指定的参数
首先确认当前环境系统版本, 根据版本选择对应的模块/配制.
cat /etc/*release
RHEL6.X 配制
sed -i.2022-11-18-bak '/pam_cracklib/s#password#\#password#g' /etc/pam.d/system-auth cat >> /etc/pam.d/system-auth <<EOF ### 2022-11-18 added password requisite pam_cracklib.so try_first_pass retry=3 type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-4 ocredit=-1 enforce_for_root password required pam_unix.so use_authtok nullok md5 EOF
RHEL7.X 配制
sed -i.2022-11-18-bak '/pam_pwquality/s#password#\#password#g' /etc/pam.d/system-auth cat >> /etc/pam.d/system-auth <<EOF ### 2022-11-18 added password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-4 ocredit=-1 enforce_for_root password required pam_unix.so use_authtok nullok md5 EOF
Step 3: 增加或修改/etc/pam.d目录中的login文件为指定的参数
cat >> /etc/pam.d/login <<EOF ### 2022-11-18 added auth required pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=300 auth required pam_env.so auth required pam_unix.so auth required pam_nologin.so account required pam_unix.so password required pam_unix.so session required pam_limits.so session required pam_unix.so session required pam_lastlog.so nowtmp session optional pam_mail.so standard EOF
Step 4: 修改日志保留周期
由默认的4周改为26
sed -i.2022-11-18-bak 's#rotate 4#rotate 26#' /etc/logrotate.conf
Step 5: 修改Linux用户登录超时(闲置时间)
本次配制选择全局属性
sed -i.2022-11-18-bak '$aexport TMOUT=900' /etc/profile
Step 6: 查看配制文件
cat /etc/pam.d/system-auth
cat /etc/pam.d/login
cat /etc/logrotate.conf
tail /etc/profile
References
- man pam_tally2
- man pam_pwquality
- man pam_cracklib