Hardening System Password Policies In RedHat/Centos

phuong

April 14, 2021

2743

How to enforce password complexity/expiration policy on CentOS 7/RHEL 7

1/Set minimum password length:

Edit minlen variable in file /etc/security/pwquality.conf:

2/Set password complexity:

Edit some variable in file /etc/security/pwquality.conf:

+ maxrepeat: Max number same character can be repeated in new password.

+ usercheck: Whether to check if it contains the user name in new password.

+ ucredit: If set value >0 mean maximum number of uppercase characters and if set <0 mean minimum number of uppercase characters in new password.

+ dcredit: Used for setup maximum/minimum digits in new password (setup same way as ucredit variable).

+ ocredit: Used for setup maximum/minimum special characters in new password (setup same way as ucredit variable).

3/Set password expiration:

– Use for setup maximum days user can use password, maximum number days between password changes and number off days system give user a warning about password expires.

– Edit file /etc/login.defs

– But if change PASS_MAX_DAYS, PASS_MIN_DAYS and PASS_WARN_AGE only effect to new account add to system. With current accounts existing before change 3 above variable need use command chage to change password expiration policy for each accounts.

# lchage -l <username>: List password expiration policy and status account of a user

# chage -M <maxday> -m <minday> -W <warning day> <account>

– If system has too many account can do this job by 2 step (using scripting) as below:

+ List all system account to file for filtering only user account for setup password expiration policy (not effect to application account and OS account)

# cat /etc/passwd | awk -F “:” ‘{print $1}’ > list_accounts.txt