LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   NISPOM Security: PAM account lockout and XScreenSaver Settings (https://www.linuxquestions.org/questions/linux-newbie-8/nispom-security-pam-account-lockout-and-xscreensaver-settings-584217/)

ElvisImprsntr 09-12-2007 01:26 PM
NISPOM Security: PAM account lockout and XScreenSaver Settings
 
BACKGROUND

I am trying to finalize a Debian Sarge Linux system to meet NISPOM security requirements.

PROBLEM 1 - ACCOUNT LOCKOUT
I have PAM cracklib installed and configured on my system to meet password complexity NISPOM requirements. I have set retry=5 in /etc/pam.d/common-password and LOGIN_RETRIES 5 in the /etc/login.defs, but neither seem to lock the account after 5 successive failed login attempts.

# common-password
.
.
.
password required pam_cracklib.so retry=5 minlen=8 difok=1 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=0
password required pam_unix.so md5 remember=5 use_authtok shadow

QUESTION 1
What am I missing to force account lockout of user (ie. non-root) accounts?


PROBMEM 2 - XSCREENSAVER SETTINGS
I have XScreenSaver installed and configured and need to prevent users from changing the settings. I have tried changing the .xscreensaver file under the user accout ro root:root, but when I change the settings it writes over the file and changes the file permissions.


QUESTION 2
There is a setting on the settings with some sort of -root option. Is this what allows the user to change the settings and what do I change it too, or is there something else I need to do to prevent the users from changing the .xscreensaver settings?


Thanks,

Elvis

ElvisImprsntr 09-12-2007 06:19 PM
OK, I think I got an answer to my QUESTION 1...

SOLUTION 1
# /etc/pam.d/common-auth
.
.
auth required pam_tally.so onerr=fail no_magic_root
account required pam_tally.so per_user deny=5 no_magic_root reset

touch /var/log/faillog

faillog -u root -m -1
faillog -u {userid} -m 5

QUESTION 2 STILL OPEN

How does one lock the xscreensaver settings to prevent users from changing it?
Also, I think I read somewhere that xscreensaver doesn't play well with pam_tally. What pam_tally option do I change to make xscreensaver play nice?

ElvisImprsntr 09-14-2007 01:58 AM
FYI, here an excerpt I got from Jamie....

>>> No. It's impossible anyway, as someone could always just download
their own copy of xscreensaver that doesn't have that feature and run
that instead.<<<

I would still like to know if there is a way using file permissions, links, etc.

ElvisImprsntr 09-26-2007 06:44 PM
Finally got a solution off the security forum...


http://www.linuxquestions.org/questi...d.php?t=586995


All times are GMT -5. The time now is 07:23 PM.