Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1921935.1
Update Date:2016-03-18
Keywords:
Solution Type  Technical Instruction Sure

Solution  1921935.1 :   How to Implement Security Measurements using PAM_TALLY  

Related Items 
    

  • Exadata X3-2 Hardware
    •  
Related Categories 
    

  • PLA-Support>Infrastructure>Operating Systems and Virtualization>Operating Systems>Oracle Linux
    •  
  • Tools>Primary Use>Configuration
    •  






In this Document


Goal


Solution


References

Created from <SR 3-8630276091>


Applies to:  

Exadata X3-2 Hardware - Version All Versions to All Versions [Release All Releases]
Information in this document applies to any platform.



Goal


To implement restrict security measurements to the system


The security measurements are


    

  1.  Lock the user after 5 failed attempts
    2. 

  2.  Unlock time is 10 minutes
    3. 

  3.  Reset counter for failed attempts with the first correct password 
    4. 



Solution


By replacing existing default /etc/pam.d/system-auth, system-auth, sshd, login files, issue will be resolved.


# cat -n system-auth
       #%PAM-1.0
       # This file is auto-generated.
       # User changes will be destroyed the next time authconfig is run.
       auth        required      pam_env.so
      auth        required      pam_tally2.so deny=5 onerr=fail unlock_time=600 even_deny_root root_unlock_time=600
       auth        sufficient    pam_unix.so nullok try_first_pass
       auth        requisite     pam_succeed_if.so uid >= 500 quiet
       auth        required      pam_deny.so
     
      account     required      pam_unix.so
      account     sufficient    pam_succeed_if.so uid < 500 quiet
      account     required      pam_permit.so
    
      password    requisite     pam_cracklib.so try_first_pass retry=3
      password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
      password    required      pam_deny.so
    
      session     optional      pam_keyinit.so revoke
      session     required      pam_limits.so
      session     [success=1    default=ignore] pam_succeed_if.so service in crond quiet use_uid
      session     required      pam_unix.so

# cat -n sshd
      #%PAM-1.0
     #auth      required     pam_tally2.so deny=5 onerr=fail unlock_time=600 even_deny_root root_unlock_time=600
      auth       include      system-auth
      account    required     pam_nologin.so
      account    include      system-auth
      password   include      system-auth
      session    optional     pam_keyinit.so force revoke
      session    include      system-auth
      session    required     pam_loginuid.so

# cat -n login
   #%PAM-1.0
   auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
  #auth      required     pam_tally2.so deny=5 onerr=fail unlock_time=600 even_deny_root root_unlock_time=600
   auth       include      system-auth
   account    required     pam_nologin.so
   account    include      system-auth
   password   include      system-auth
 # pam_selinux.so close should be the first session rule
  session    required     pam_selinux.so close
  session    optional     pam_keyinit.so force revoke
  session    required     pam_loginuid.so
  session    include      system-auth
  session    optional     pam_console.so
 # pam_selinux.so open should only be followed by sessions to be executed in the user context
  session    required     pam_selinux.so open


References
 <BUG:18399481> - ONE BAD PASSWORD LOCKS OUT THE ROOT ACCOUNT AFTER USING PAM_TALLY2
<NOTE:1541862.1> -  When We Input Wrong Root Password During Login Exadata System, We Have To Wait For 10mins



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback