Linux系统安全设置

Linux系统中涉及到用户密码策略的两个配置文件

场景:某企业需要对系统用户密码增强安全,要求:

a. 用户口令最小长度:8

b. 用户口令复杂度,必须包含:

​ a) 至少一个小写字母

​ b) 至少一个大写字母

​ c) 至少一个数字

​ d) 至少一个特殊字符

c. 用户口令最大有效期不超过90天。

在Linux系统中如何设置呢?

  1. a/c 两个要求,可以通过修改 /etc/login.defs 文件
*REQUIRED* required
#  Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR      Maildir
MAIL_DIR        /var/spool/mail
#创建用户时,要在目录/var/spool/mail中创建一个用户mail文件
#MAIL_FILE      .mail
 
# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999    # 按场景要求90天
#密码最大有效期
PASS_MIN_DAYS   0
#两次修改密码的最小间隔时间
PASS_MIN_LEN    5       # 按场景要求 8
#密码最小长度,对于root无效
PASS_WARN_AGE   7
#密码过期前多少天开始提示
#
# Min/max values for automatic uid selection in useradd
#创建用户时不指定UID的话自动UID的范围
UID_MIN                   500
#用户ID的最小值
UID_MAX                 60000
#用户ID的最大值
#
# Min/max values for automatic gid selection in groupadd
#自动组ID的范围
GID_MIN                   500
#组ID的最小值
GID_MAX                 60000
#组ID的最大值
 
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD    /usr/sbin/userdel_local
#当删除用户的时候执行的脚本
 
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME     yes
#使用useradd的时候是够创建用户目录
 
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK           077
 
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
#用MD5加密密码
  1. 用户口令复杂度的设置,需要修改 /etc/pam.d/system-auth 配置文件。

找到包含pam_pwquality.so模块的行,将原有行注释并修改为如下的新配置,至少包含一个大写字母,一个小写字母,一个数字,一个特殊符号。

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1

参考

  1. https://www.bbsmax.com/A/KE5QYAZP5L/
  2. https://blog.csdn.net/inthat/article/details/117920671
posted @ 2023-03-07 15:07  trylab  阅读(74)  评论(0编辑  收藏  举报