Why and How to hard the RHEL OS

 Why ?

In Linux Red-hat OS system in order to comply to the certain policies you will need to configure the password in certain levels , in RHCSA it doesn’t covered all kind of these aspects to reach all kind of hardening , below are the main password things I think you may be need to set all required aspects in the matter.

How ?

Below are commands in CLI to configure the:

1- To check telnet server is not installed ( only client is allowed) :

rpm -qa telnet

telnet-0.17-73.el8_1.1.x86_64

 2- To disable the Root SSH login directly (change or check) parameter “PermitRootLogin” is no:

# vim /etc/ssh/sshd_config

PermitRootLogin no

 3- To set the SSH maximum concurrent sessions for all and specific user , for example all users 2 maximum and admin 5 sessions  :

# vim /etc/security/limits.conf

*                -       maxlogins       2

admin            -       maxlogins       5

 

4- To set the password’s strength against a set of rules, Red-hat have the “pam_pwquality” module to be used for this matter, the PAM-aware (Pluggable Authentication Modules) will affect passwd command while user change the password.

 

To set minimum length of password as example :

Length not less than 8 + have upper case + lowercase + other character

minlen = minum length of password

dcredit = credit for having required digits in password

ucredit =  credit for having uppercase characters in password .

lcredit = credit for having lowercase characters in password

# vim /etc/security/pwquality.conf

# The new password is rejected if it fails the check and the value is not 0.

enforcing = 1

ucredit = -1

lcredit = -1

minlen = 8

dcredit = -1

 

5- To setup the lock account after 6 failed tried and unlock it after 30 minutes or success login rest these number as below :

 

vi /etc/pam.d/system-auth

## After this line :

auth        [default=1 ignore=ignore success=ok]         pam_localuser.so

 

auth        required      pam_faillock.so preauth silent unlock_time=1800 deny=6

auth        sufficient                                   pam_unix.so  try_first_pass

auth        [default=die] pam_faillock.so authfail unlock_time=1800 deny=6

auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular

# make sure to pam_faillok.so

account     required      pam_faillock.so

account     required                                     pam_unix.so

## to remember password last 4 times:

password    requisite                                    pam_pwquality.so try_first_pass local_users_only

password    requisite                                    pam_pwhistory.so remember=4 use_authtok

password    sufficient                                   pam_unix.so sha512 shadow  try_first_pass use_authtok remember=4

## another file is :

vi /etc/pam.d/password-auth

auth        required      pam_faillock.so preauth silent unlock_time=1800 deny=6

auth        sufficient                                   pam_unix.so  try_first_pass

auth        [default=die] pam_faillock.so authfail unlock_time=1800 deny=6

auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular

auth        sufficient                                   pam_sss.so forward_pass

auth        required                                     pam_deny.so

 

account     required      pam_faillock.so

account     [default=bad success=ok user_unknown=ignore] pam_sss.so

account     required                                     pam_permit.so

 

password    requisite                                    pam_pwquality.so try_first_pass local_users_only

password    requisite                                    pam_pwhistory.so remember=4 use_authtok

password    sufficient                                   pam_unix.so sha512 shadow  try_first_pass use_authtok remember=4

6- If you use 8.2 and above use the new recommended approach as per RHEL article as below (from RHEL article) :

1. List available profiles:

# authselect list

2. List current profile and features enabled:

# authselect current

3. Backup the current profile/changes:

# authselect apply-changes -b --backup=sssd.backup

4. Create new custom profile name password-policy copied from existing profile sssd:

#  authselect create-profile password-policy -b sssd

Newly created profile will be available at location: /etc/authselect/custom/password-policy/

5. Set new custom profile as current profile:

# authselect select custom/password-policy

# authselect current

6. To enable features for example, to create home directory on user login if not already present and to enable account lockout using faillock, run these commands:

# authselect enable-feature with-mkhomedir

# authselect enable-feature with-faillock

7. Make desired/custom changes in global PAM config files system-auth and password-auth available under custom profile directory /etc/authselect/custom/password-policy/. Once changes are made apply them with command:

# authselect apply-changes

Confirm if changes are written to the files.

1. Keep history of used passwords (the number of previous passwords which cannot be reused).

• Insert the following line in /etc/authselect/custom/password-policy/system-auth and /etc/authselect/custom/password-policy/password-auth files (after pam_pwquality.so line:

password    requisite     pam_pwhistory.so remember=5 use_authtok

2. Enforce root for password complexity.

• Insert/append the following option in pam_pwquality.so line under password section in /etc/authselect/custom/password-policy/system-auth and /etc/authselect/custom/password-policy/password-auth files:

enforce_for_root

Note: After making the changes, authselect apply-changes needs to be run so that changes can take effect.