客户公司SOX关于LINUX帐号的审计要求及本人与redhat工程师的解决之道。
SOX demand for linux OS password
1. A unique user ID is required in combination with a password to access the system.
2. Automatic password changing after 60 days where technically feasible. If not technically feasible, a compensating control is in place.
3. Password minimum length of 8 characters or maximum length allowed by system when the allowable length is less than 8 characters.
4. User IDs/Accounts suspended after 6 invalid logins if technically feasible. If not technically feasible, a compensating control is in place.
5. Accounts inactive for 60 days are disabled if technically possible. If not technically possible, a compensating control is in place.
6. Password history of 12 is enabled which prohibits the reuse of the last 12 passwords
7. Following a new user's initial logon to the application, the user is prompted to change password.
>From Me
For 2. Expired Setting
[root@localhost]# passwd -x 60 -w 10
For 1.Complexity Setting
Add the following lines to /etc/pam.d/passwd
password requisite pam_cracklib.so type
="Retype-3-At-least-8-letters-1-capital-1- character" retry=3
minlen=10 ucredit=1 ocredit=1
password required pam_unix.so use_authtok
Reference Documents
passwd manual
The Linux-PAM System Administrators' Guide
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html#toc6
>From Red Hat China Support
For 4:
http://kbase.redhat.com/faq/FAQ_80_4047.shtm
For 7:
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/s1-users-cmd-line.html
http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
Password "History"
pam_cracklib is capable of consulting a user's password "history" and not allowing them to re-use old passwords. However, the functionality for actually storing the user's old passwords is enabled via the pam_unix module.
The first step is to make sure to create an empty /etc/security/opasswd file for storing old user passwords. If you forget to do this before enabling the history feature in the PAM configuration file, then all user password updates will fail because the pam_unix module will constantly be returning errors from the password history code due to the file being missing.
Treat your opasswd file like your /etc/shadow file because it will end up containing user password hashes (albeit for old user passwords that are no longer in use):
touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd
Once you've got the opasswd file set up, enable password history checking by adding the option "remember=<x>" to the pam_unix configuration line in the /etc/pam.d/common-password file. Here's how I have things set up on my Knoppix machine:
password required pam_cracklib.so retry=3 minlen=12 difok=4
password required pam_unix.so md5 remember=12 use_authtok
The value of the "remember" parameter is the number of old passwords you want to store for a user. It turns out that there's an internal maximum of 400 previous passwords, so values higher than 400 are all equivalent to 400. Before you complain about this limit, consider that even if your site forces users to change passwords every 30 days, 400 previous passwords represents over 30 years of password history. This is probably sufficient for even the oldest of legacy systems.
Once you've enabled password history, the opasswd file starts filling up with user entries that look like this:
hal:1000:<n>:<hash1>,<hash2>, ,<hashn>
The first two fields are the username and user ID. The <n> in the third field represents the number of old passwords currently being stored for the user this value is incremented by one every time a new hash is added to the user's password history until <n> ultimately equals the value of the "remember" parameter set on the pam_unix configuration line. <hash1>,<hash2>, ,<hashn> are actually the MD5 password hashes for the user's old passwords.
 (No Ratings Yet) Loading ... |
相关日志 |
本文读者也关心以下内容:
|
11月 15th, 2007
作者:
eric |
Unix/BSD/Linux |
Trackback
?
|
无评论|
|
143 views
Leave a reply