Linux 101 : Securing users accounts - PAM, chage, logs, ...

Below we could find different ways of securing and checking user accounts.

We could check "sudo" use and also its failed tries in the in "/var/log/auth.log" file.

We could also check the "sudo" activities using the command:

The above command displays the logs as events happen - live -, along with the latest logs.

The below command displays the latest logs:

To set an expiration date on an account, we use the below command:


To check the expiry information of a user's password, we use the following command:

Unused accounts - disabled or expired - could present a security hole in the system. 
We could look for these accounts in a system by checking the  "/etc/shadow" file using the below command:

The above command displays the first field - username - and the eight field - expiry date - from the "/etc/shadow" file.

We could refine the above results and only display the users we are interested in - accounts with a valid username with expired accounts -:

We could also use PAM - pluggable authentication module - to set the requirements for our passwords.

Below we can see an example that only accepts passwords that fit the below requirements:
  • The password has to be ten characters long. 
  • The password must have five uppercase letters. 
  • The password must have three lowercase letters.
We could set the above requirements either in the "/etc/pam.d/common-password" file or in the "/etc/pam.d/common-auth" file as below:

We could also add other requirements like:
  • dcredit n : numbers of digits in the password.
  • difok n : tells the system than there must be a difference with the previous "n" passwords.
The same settings could be added to the "/etc/login.defs" file, for example:
  • PASS_MAX_DAYS : maximum days until the password change.
  • PASS_MIN_DAYS : so users will not keep changing their passwords frequently, they will need to wait a minimum number of days - we usually set it above zero -.
  • PASS_MIN_LEN : sets the minimum password length.
  • PASS_WARN_AGE : number of days before the change of password in which the user gets a warning message.

If we set the minimum password length in both PAM and "/etc/login.defs", the higher one will be taken inti account.

Changing the password settings for a user could help secure the system, we could do it using the below command:

  • -M : days before the password needs to be changed.
  • -m : minimum number of days before the password could be changed - keep the users from frequently changing their password -.
  • -W : the user receives a warning three days before the password needs to be changed. 
To check the expiry date for "Albert", we could use the below command:


We could tell the system to lock Albert's account after "X" days of inactivity after the expiry of the password using the below command:


Leave as a comment: