根据要求修改RHEL/CentOS Linux 6-7中的用户策略
Contents
Step 1: 备份etc目录
执行修改操作之前, 建议备份/etc相关文件.
tar -zcf ~/etc_2022-11-18.tar.gz /etc/
Step 2: 增加或修改/etc/pam.d目录中的system-auth文件为指定的参数
首先确认当前环境系统版本, 根据版本选择对应的模块/配制.
cat /etc/*release
RHEL6.X 配制
sed -i.2022-11-18-bak '/pam_cracklib/s#password#\#password#g' /etc/pam.d/system-auth cat >> /etc/pam.d/system-auth <<EOF ### 2022-11-18 added password requisite pam_cracklib.so try_first_pass retry=3 type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-4 ocredit=-1 enforce_for_root password required pam_unix.so use_authtok nullok md5 EOF
RHEL7.X 配制
sed -i.2022-11-18-bak '/pam_pwquality/s#password#\#password#g' /etc/pam.d/system-auth cat >> /etc/pam.d/system-auth <<EOF ### 2022-11-18 added password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-4 ocredit=-1 enforce_for_root password required pam_unix.so use_authtok nullok md5 EOF
Step 3: 增加或修改/etc/pam.d目录中的login文件为指定的参数
cat >> /etc/pam.d/login <<EOF ### 2022-11-18 added auth required pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=300 auth required pam_env.so auth required pam_unix.so auth required pam_nologin.so account required pam_unix.so password required pam_unix.so session required pam_limits.so session required pam_unix.so session required pam_lastlog.so nowtmp session optional pam_mail.so standard EOF
Step 4: 修改日志保留周期
由默认的4周改为26
sed -i.2022-11-18-bak 's#rotate 4#rotate 26#' /etc/logrotate.conf
Step 5: 修改Linux用户登录超时(闲置时间)
本次配制选择全局属性
sed -i.2022-11-18-bak '$aexport TMOUT=900' /etc/profile
Step 6: 查看配制文件
cat /etc/pam.d/system-auth
cat /etc/pam.d/login
cat /etc/logrotate.conf
tail /etc/profile
References
- man pam_tally2
- man pam_pwquality
- man pam_cracklib