Differences between revisions 1 and 6 (spanning 5 versions)
Revision 1 as of 2022-11-18 02:27:01
Size: 2335
Editor: localhost
Comment:
Revision 6 as of 2022-11-18 02:49:23
Size: 2310
Editor: localhost
Comment:
Deletions are marked like this. Additions are marked like this.
Line 13: Line 13:
'' cat /etc/*release ''
## RHEL6.X 配制 ==
''' cat /etc/*release '''
== RHEL6.X 配制 ==
Line 26: Line 27:
## RHEL7.X 配制 == == RHEL7.X 配制 ==
Line 56: Line 57:
= Step 4: 查看配制文件 = = Step 4: 修改日志保留周期 =
由默认的4周改为26
Line 58: Line 60:
{{{
sed -i.$(date +%F)-bak 's#rotate 4#rotate 26#' /etc/logrotate.conf
}}}

= Step 5: 修改Linux用户登录超时(闲置时间) =
本次配制选择全局属性
{{{
sed -i.$(date +%F)-bak '$aexport TMOUT=900' /etc/profile
}}}

= Step 6: 查看配制文件 =
Line 62: Line 75:
= Step 5: 验证配制结果 = cat /etc/logrotate.conf
Line 64: Line 77:
== 修改用户密码 ==
预期结果: 密码需要满足复杂性要求,否则无法设置或修改用户密码

~# passwd root

~# passwd OTHER-USERNAME


== 从显示器或远程(KVM/CONSOLE)控制台登录 ==
预期结果: 使用root用户从LOCAL登录,尝试失败超过5次之后root用户锁定, 并在5分钟之后自动恢复为可登录状态.		 tail /etc/profile
Line 78: Line 82:
 * man pam_cracklib

根据要求修改RHEL/CentOS Linux 6-7中的用户策略

Contents

  1. Step 1: 备份etc目录
  2. Step 2: 增加或修改/etc/pam.d目录中的system-auth文件为指定的参数
    1. RHEL6.X 配制
    2. RHEL7.X 配制
  3. Step 3: 增加或修改/etc/pam.d目录中的login文件为指定的参数
  4. Step 4: 修改日志保留周期
  5. Step 5: 修改Linux用户登录超时(闲置时间)
  6. Step 6: 查看配制文件
  7. References

Step 1: 备份etc目录

执行修改操作之前, 建议备份/etc相关文件.

tar -zcf ~/etc_$(date +%F).tar.gz /etc/

Step 2: 增加或修改/etc/pam.d目录中的system-auth文件为指定的参数

首先确认当前环境系统版本

cat /etc/*release

RHEL6.X 配制

sed -i.$(date +%F)-bak '/pam_cracklib/s#password#\#password#g' /etc/pam.d/system-auth

cat >> /etc/pam.d/system-auth <<EOF
### $(date +%F) added ###
password    requisite     pam_cracklib.so try_first_pass retry=3 type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-4 ocredit=-1 enforce_for_root
password  required pam_unix.so use_authtok nullok md5
EOF

RHEL7.X 配制

sed -i.$(date +%F)-bak '/pam_pwquality/s#password#\#password#g' /etc/pam.d/system-auth

cat >> /etc/pam.d/system-auth <<EOF
### $(date +%F) added ###
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-4 ocredit=-1 enforce_for_root
password  required pam_unix.so use_authtok nullok md5
EOF

Step 3: 增加或修改/etc/pam.d目录中的login文件为指定的参数

cat >> /etc/pam.d/login <<EOF
### $(date +%F) added ###
auth     required       pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=300
auth     required       pam_env.so
auth     required       pam_unix.so
auth     required       pam_nologin.so
account  required       pam_unix.so
password required       pam_unix.so
session  required       pam_limits.so
session  required       pam_unix.so
session  required       pam_lastlog.so nowtmp
session  optional       pam_mail.so standard
EOF

Step 4: 修改日志保留周期

由默认的4周改为26 

sed -i.$(date +%F)-bak 's#rotate 4#rotate 26#' /etc/logrotate.conf

Step 5: 修改Linux用户登录超时(闲置时间)

本次配制选择全局属性 

sed -i.$(date +%F)-bak '$aexport TMOUT=900' /etc/profile

Step 6: 查看配制文件

cat /etc/pam.d/system-auth

cat /etc/pam.d/login

cat /etc/logrotate.conf

tail /etc/profile

References

  • man pam_tally2
  • man pam_pwquality
  • man pam_cracklib

désert/workarea/2022-11-18 (last edited 2022-11-18 04:19:00 by localhost)