Manage security on a RHEL system by controlling authentication with Pluggable Authentication Modules (PAM).
Before We Begin
The following PAM modules are used in this article:
Backup PAM Config
Before you do anything, backup your PAM configuration:
# authconfig --savebackup=/root/pam_backup
Allow both Manual and authconfig Configuration
We prefer to use authconfig but also want to allow manual configuration.
Note that authconfig modifies the
# cd /etc/pam.d # cp system-auth-ac system-auth-local # cp password-auth-ac password-auth-local # rm -f system-auth password-auth # ln -s system-auth-local system-auth # ln -s password-auth-local password-auth
We can now use the custom
*-local files for manual configuration, but include the
*-ac files for the configuration we do through authconfig.
# cat system-auth-local auth include system-auth-ac account include system-auth-ac password include system-auth-ac session include system-auth-ac
# cat password-auth-local auth include password-auth-ac account include password-auth-ac password include password-auth-ac session include password-auth-ac
The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines.
Configure PAM Rule Order
Only the account type is provided.
password-auth-local files and add the new rule before the other account rules.
# cat system-auth-local auth include system-auth-ac account required pam_time.so account include system-auth-ac password include system-auth-ac session include system-auth-ac
# cat password-auth-local auth include password-auth-ac account required pam_time.so account include password-auth-ac password include password-auth-ac session include password-auth-ac
Set Time Restriction
Prevent users from logging in using SSH between 5 PM and 10PM on Fridays and Saturdays. This restriction does not apply to root, alice and vince. Note that the configuration requires 24-hour format.
Add the following to
The pam_access PAM module is mainly for access management.
All module types (auth, account, password and session) are provided.
# authconfig --help|grep access --enablepamaccess check access.conf during account authorization --disablepamaccess do not check access.conf during account authorization
# authconfig --enablepamaccess --update
Set Access Restriction
- Prevent vince access from IP 10.11.1.10.
- Allow root, alice, sandy and vince to log in from anywhere.
- Other users are not allowed to log in.
/etc/security/access.conf configuration file and add the following:
-:vince:10.11.1.10 +:root alice sandy vince:ALL -:ALL:ALL
The pam_sepermit module allows or denies login depending on SELinux enforcement state.
We’re going to configure the module for sshd.
# grep sepermit /etc/pam.d/* /etc/pam.d/sshd:auth required pam_sepermit.so
Only single login session will be allowed for the SELinux staff_u user, and the user’s processes will be killed on logout.
# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * vince staff_u s0-s0:c0.c1023 *
/etc/security/sepermit.conf configuration file and add the following:
This module can be plugged into the password stack of a given service to provide some plug-in strength-checking for passwords.
Only the password module type is provided.
To define advanced password requirements, edit the
Set the password length to 12 characters, require at least three lowercase letters, one uppercase letter, at least two numbers, and at least one special character:
minlen = 12 lcredit = -3 ucredit = -1 dcredit = -2 ocredit = -1
Note that negative values indicate the minimum number of characters required for each class.
This module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications.
To enable and configure pam_faillock, we can manually edit the PAM configuration files, but the authconfig tool offers a much easier way.
# authconfig --enablefaillock \ --faillockargs="deny=5 fail_interval=90 unlock_time=300" \ --update
By default, pam_faillock does not lock the root account. To change that, use even_deny_root argument.
# authconfig --enablefaillock \ --faillockargs="deny=5 fail_interval=90 unlock_time=300 even_deny_root" \ --update
You can list failed login attempts with the faillock command.
# faillock --user sandy sandy: When Type Source Valid 2019-06-30 12:23:26 RHOST 10.11.1.10 V 2019-06-30 12:23:29 RHOST 10.11.1.10 V 2019-06-30 12:23:32 RHOST 10.11.1.10 V 2019-06-30 12:23:36 RHOST 10.11.1.10 V 2019-06-30 12:23:38 RHOST 10.11.1.10 V
This module that can be used to set the delay on failure per-application.
Only the auth module type is provided.
To enable and configure pam_faildelay, we can manually edit the PAM configuration files, but it is sometimes easier to the
The above will set the retry delay to 5 seconds.
The pam_tty_audit PAM module is used to enable or disable TTY auditing.
Only the session type is supported.
Enable the auditing of TTY for the alice user:
# cat /etc/pam.d/system-auth-local auth include system-auth-ac account required pam_time.so account include system-auth-ac password include system-auth-ac session include system-auth-ac session required pam_tty_audit.so disable=* enable=alice
# cat /etc/pam.d/password-auth-local auth include password-auth-ac account required pam_time.so account include password-auth-ac password include password-auth-ac session include password-auth-ac session required pam_tty_audit.so disable=* enable=alice
Verify the audit logs:
# aureport -i --tty TTY Report =============================================== # date time event auid term sess comm data =============================================== 1. 30/06/19 12:31:33 3061 alice ? 208 bash "ls -l /tmp" 2. 30/06/19 12:33:29 3092 alice ? 209 top "q"
$ man pam_faildelay $ man pam_time ;# (see /etc/security/time.conf) $ man pam_access ;# (see /etc/security/access.conf) $ man pam_pwquality ;# (see /etc/security/pwquality.conf) $ man pam_sepermit ;# (see /etc/security/sepermit.conf) $ man sepermit.conf $ man pam_faillock ;# (does not a have a dedicated configuration file) $ man pam_tty_audit