RedHat password policy reinforcement

Configure the account password Validity Period
Security requirements:
The password is valid for up to 90 days. You are reminded to change the password 10 days before expiration.
General policy:
Enable Password Expiration policies for Maintenance Accounts and system accounts. During implementation, the business account and database account can be configured based on the business reinforcement policy.
Risk Description:
If the password is not modified in time before it expires, the Service may be interrupted. Therefore, determine which accounts require exception settings.
If the password is associated, the Business configuration file is not modified synchronously when the password is changed, which may cause service unavailability.
Operation Method:
1. Set the Maximum Password validity period to 90 days
Modify/etc/login. defs and add or modify the following content:
# Vi/etc/login. defs
PASS_MAX_DAYS 90
Set an existing account in the system:
# Passwd-x 90 account
For example, change the root account, # passwd-x 90 root
 
2. Remind the user to change the password 10 days before expiration.
Modify/etc/login. defs and add or modify the following content:
# Vi/etc/login. defs
PASS_WARN_AGE 10
Set an existing account in the system:
# Passwd-w 7 account
For example, change the root account, # passwd-w 7 root
3. view the account password policy:
# Chage-l account
For example, change the root account, # chage-l root
Maximum number of days between password change: 90
Number of days of warning before password expires: 10
Operation Verification:
Verification Method:
Use an account whose password has expired to log on to the system;
Use the account whose password is about to expire to log on to the system;
Expected results:
Logon Failed
The system prompts you to change the password.
Complexity of account password configuration
Security requirements:
The account password (including the root account) must contain at least eight characters, including numbers, lowercase letters, uppercase letters, and special characters.
General policy:
This operation takes effect immediately and is valid for all commands that change passwords ., It is generally set to a minimum length of 8 characters.
It must contain at least one digit, one lower-case letter, one upper-case letter, and one special character.
Risk Description:
If a password is associated with a user, you must modify the business configuration file synchronously when changing the password. Otherwise, the business may become unavailable.
Operation Method:
Set Password rules: each character has at least one character from these character sets a-z, A-Z, punctuation, 0-9
Modify the/etc/pam. d/passwd file:
# Vi/etc/security/passwd
Make sure that the following lines are not commented out. If not, add them in the following order:
# % PAM-1.0
Auth include system-auth
Account include system-auth
Password requisite pam_passwdqc.so enforce = everyone
Password requisite pam_cracklib.so minlen = 8 lcredit =-1 ucredit =-1 ocredit =-1 dcredit =-1
Password include system-auth
Operation Verification:
Verification Method:
Create a Common Account and configure a simple password with the same password as the user name, containing only characters or numbers, and a password with a length shorter than 8 characters, check whether the system prompts the password strength requirements. The input must contain at least one number, one lower-case letter, one upper-case letter, and one special character.
To check whether the system can be set successfully. For example, enter the password P @ ssw0rd.
Expected results:
When the password strength is not met, the system prompts the password strength requirements.
When the password strength is met, it can be set successfully.
 
Configure repeated use times of account passwords
Security requirements:
So that the account cannot use the password used in the last two times (including two times)
General policy:
Determines whether to allow this option based on the business reinforcement policy.
Risk Description:
None
Operation Method:
Password used for the last two times is prohibited
Modify/etc/pam. d/passwd
Make sure that the following lines are not commented out. If not, add them in the following order:
# Vi/etc/pam. d/passwd
# % PAM-1.0
Auth required pam_stack.so service = system-auth
Account required pam_stack.so service = system-auth
Password requisite pam_unix.so remember = 2
Password requisite pam_passwdqc.so enforce = everyone
Password requisite pam_cracklib.so minlen = 8 lcredit =-1 ucredit =-1 ocredit =-1 dcredit =-1 pam_stack.so
Password include system-auth
 
 
 
Operation Verification:
Verification Method:
Use the user account to change your password and set the new password to be the same as the old password for the last two times;
Expected results:
If the new password is the same as the previous password, the system does not accept the new password. Will prompt:
You can now choose the new password or passphrase.
 
Author's mind is light and zhiping, white paper and ink --- blog