LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-12-2007, 02:26 PM   #1
ElvisImprsntr
Member
 
Registered: Aug 2007
Location: Florida
Posts: 33

Rep: Reputation: 19
NISPOM Security: PAM account lockout and XScreenSaver Settings


BACKGROUND

I am trying to finalize a Debian Sarge Linux system to meet NISPOM security requirements.

PROBLEM 1 - ACCOUNT LOCKOUT
I have PAM cracklib installed and configured on my system to meet password complexity NISPOM requirements. I have set retry=5 in /etc/pam.d/common-password and LOGIN_RETRIES 5 in the /etc/login.defs, but neither seem to lock the account after 5 successive failed login attempts.

# common-password
.
.
.
password required pam_cracklib.so retry=5 minlen=8 difok=1 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=0
password required pam_unix.so md5 remember=5 use_authtok shadow

QUESTION 1
What am I missing to force account lockout of user (ie. non-root) accounts?


PROBMEM 2 - XSCREENSAVER SETTINGS
I have XScreenSaver installed and configured and need to prevent users from changing the settings. I have tried changing the .xscreensaver file under the user accout ro root:root, but when I change the settings it writes over the file and changes the file permissions.


QUESTION 2
There is a setting on the settings with some sort of -root option. Is this what allows the user to change the settings and what do I change it too, or is there something else I need to do to prevent the users from changing the .xscreensaver settings?


Thanks,

Elvis

Last edited by ElvisImprsntr; 09-12-2007 at 07:10 PM.
 
Old 09-12-2007, 07:19 PM   #2
ElvisImprsntr
Member
 
Registered: Aug 2007
Location: Florida
Posts: 33

Original Poster
Rep: Reputation: 19
OK, I think I got an answer to my QUESTION 1...

SOLUTION 1
# /etc/pam.d/common-auth
.
.
auth required pam_tally.so onerr=fail no_magic_root
account required pam_tally.so per_user deny=5 no_magic_root reset

touch /var/log/faillog

faillog -u root -m -1
faillog -u {userid} -m 5

QUESTION 2 STILL OPEN

How does one lock the xscreensaver settings to prevent users from changing it?
Also, I think I read somewhere that xscreensaver doesn't play well with pam_tally. What pam_tally option do I change to make xscreensaver play nice?

Last edited by ElvisImprsntr; 09-13-2007 at 05:32 PM.
 
Old 09-14-2007, 02:58 AM   #3
ElvisImprsntr
Member
 
Registered: Aug 2007
Location: Florida
Posts: 33

Original Poster
Rep: Reputation: 19
FYI, here an excerpt I got from Jamie....

>>> No. It's impossible anyway, as someone could always just download
their own copy of xscreensaver that doesn't have that feature and run
that instead.<<<

I would still like to know if there is a way using file permissions, links, etc.
 
Old 09-26-2007, 07:44 PM   #4
ElvisImprsntr
Member
 
Registered: Aug 2007
Location: Florida
Posts: 33

Original Poster
Rep: Reputation: 19
Finally got a solution off the security forum...


http://www.linuxquestions.org/questi...d.php?t=586995
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
account lockout threshold pasupuleti Programming 3 10-03-2006 01:11 AM
Account lockout threshold moinpasha Linux - Security 10 09-28-2006 08:27 AM
Logging account lockout sbrewer Linux - Security 1 10-22-2005 04:48 PM
xscreensaver lockout after upgrade to kernel 2.6.0 and nvidia 5328 kebera Red Hat 0 01-03-2004 03:23 PM
Automatic Account lockout jimrt Linux - Security 3 03-26-2003 09:32 PM


All times are GMT -5. The time now is 05:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration