Linux 101 : Securing users accounts - PAM, chage, logs, ...
Below we could find different ways of securing and checking user accounts.
We could also check the "sudo" activities using the command:
The above command displays the logs as events happen - live -, along with the latest logs.
The below command displays the latest logs:
To set an expiration date on an account, we use the below command:
Example:
To check the expiry information of a user's password, we use the following command:
We could look for these accounts in a system by checking the "/etc/shadow" file using the below command:
The above command displays the first field - username - and the eight field - expiry date - from the "/etc/shadow" file.
We could refine the above results and only display the users we are interested in - accounts with a valid username with expired accounts -:
We could also use PAM - pluggable authentication module - to set the requirements for our passwords.
Below we can see an example that only accepts passwords that fit the below requirements:
- The password has to be ten characters long.
- The password must have five uppercase letters.
- The password must have three lowercase letters.
We could set the above requirements either in the "/etc/pam.d/common-password" file or in the "/etc/pam.d/common-auth" file as below:
We could also add other requirements like:
- dcredit n : numbers of digits in the password.
- difok n : tells the system than there must be a difference with the previous "n" passwords.
The same settings could be added to the "/etc/login.defs" file, for example:
- PASS_MAX_DAYS : maximum days until the password change.
- PASS_MIN_DAYS : so users will not keep changing their passwords frequently, they will need to wait a minimum number of days - we usually set it above zero -.
- PASS_MIN_LEN : sets the minimum password length.
- PASS_WARN_AGE : number of days before the change of password in which the user gets a warning message.
Remark:
Changing the password settings for a user could help secure the system, we could do it using the below command:
- -M : days before the password needs to be changed.
- -m : minimum number of days before the password could be changed - keep the users from frequently changing their password -.
- -W : the user receives a warning three days before the password needs to be changed.
To check the expiry date for "Albert", we could use the below command:
Remark:
We could tell the system to lock Albert's account after "X" days of inactivity after the expiry of the password using the below command:
Comments