NISPOM Security: PAM account lockout and XScreenSaver Settings
BACKGROUND
I am trying to finalize a Debian Sarge Linux system to meet NISPOM security requirements. PROBLEM 1 - ACCOUNT LOCKOUT I have PAM cracklib installed and configured on my system to meet password complexity NISPOM requirements. I have set retry=5 in /etc/pam.d/common-password and LOGIN_RETRIES 5 in the /etc/login.defs, but neither seem to lock the account after 5 successive failed login attempts. # common-password . . . password required pam_cracklib.so retry=5 minlen=8 difok=1 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=0 password required pam_unix.so md5 remember=5 use_authtok shadow QUESTION 1 What am I missing to force account lockout of user (ie. non-root) accounts? PROBMEM 2 - XSCREENSAVER SETTINGS I have XScreenSaver installed and configured and need to prevent users from changing the settings. I have tried changing the .xscreensaver file under the user accout ro root:root, but when I change the settings it writes over the file and changes the file permissions. QUESTION 2 There is a setting on the settings with some sort of -root option. Is this what allows the user to change the settings and what do I change it too, or is there something else I need to do to prevent the users from changing the .xscreensaver settings? Thanks, Elvis |
OK, I think I got an answer to my QUESTION 1...
SOLUTION 1 # /etc/pam.d/common-auth . . auth required pam_tally.so onerr=fail no_magic_root account required pam_tally.so per_user deny=5 no_magic_root reset touch /var/log/faillog faillog -u root -m -1 faillog -u {userid} -m 5 QUESTION 2 STILL OPEN How does one lock the xscreensaver settings to prevent users from changing it? Also, I think I read somewhere that xscreensaver doesn't play well with pam_tally. What pam_tally option do I change to make xscreensaver play nice? |
FYI, here an excerpt I got from Jamie....
>>> No. It's impossible anyway, as someone could always just download their own copy of xscreensaver that doesn't have that feature and run that instead.<<< I would still like to know if there is a way using file permissions, links, etc. |
Finally got a solution off the security forum...
http://www.linuxquestions.org/questi...d.php?t=586995 |
All times are GMT -5. The time now is 07:23 PM. |