-
-
Notifications
You must be signed in to change notification settings - Fork 632
PAM Module
You can file an issue about it and ask that it be added.
Linux-PAM is a library that enables the local system administrator to choose how individual applications authenticate users. It offers multiple low-level authentication schemes into a high-level application programming interface (API).
Currently more used are the SHA-256 and SHA-512 based hashes, sha256crypt and sha512crypt, which are similar in structure to md5crypt but support variable amounts of iteration. They're marked with $5$ and $6$ respectively. sha512crypt ($6$) is what at least RedHat/CentOS and Debian (generally most modern distros) currently use by default.
# C2S/CIS: CCE-27104-9 (Medium)
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtokC2S/CIS: CCE-27104-9 (Medium)
This option provides the capability to lock out user accounts after a number of failed login attempts.
Locking out user accounts presents the risk of a denial-of-service attack.
Edit AUTH and ACCOUNT (for the last parameter) section of both /etc/pam.d/system-auth and /etc/pam.d/password-auth:
# C2S/CIS: CCE-26884-7 (Medium)
# Add the following line immediately before the pam_unix.so
auth required pam_faillock.so preauth silent deny=5 unlock_time=900 fail_interval=900
# Add the following line immediately after the pam_unix.so
auth [default=die] pam_faillock.so authfail deny=5 unlock_time=900 fail_interval=900
# Add the following line immediately before the pam_unix.so
account required pam_faillock.soC2S/CIS: CCE-26884-7 (Medium)
If you want, you can use a more restrictive configuration (I personally prefer this way):
auth required pam_faillock.so preauth silent deny=3 unlock_time=1800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=1800 fail_interval=900Other guides recommend setting the FAILLOG_ENAB and FAIL_DELAY params in /etc/login.defs configuration file. It's incorrect solution beacuse login.defs is no longer used by login, su and passwd (see man for login.defs(5)) unless you use pam_pwcheck.
The Practical Linux Hardening Guide provides a high-level overview of the hardening GNU/Linux systems. It is not an official standard or handbook but it touches and use industry standards.