TufinOS 4.x Password Policies

Overview

For TufinOS 4.x, implementing a password policy lets you harden your operating system by enforcing strong passwords for all operating system logins. Password policies are enforced using the pam_passwdqc.so RPM.

This applies to all versions of TufinOS 4.x and RHEL 8.

This topic describes RHEL 8 default configuration file for password complexity. Some of these requirements are based on a credit-based system, which is used by the system to evaluate the complexity of the password.

Use these instructions to implement password policies for TufinOS 4.20 and later.

Prerequisites

TufinOS 4.x Users

  • Verify that you are running version 4.20 or later.

Rocky/Linux/RHEL 8 Users

  • Verify that you are running either version 8.6 or version 8.8.

  • To ensure that the server has full functionality and access to the options described in this topic, use the following command to update pam to pam-1.3.1-25, authselect to authselect-1.2.6-1, and libpwquality to libpwquality-1.4.4-6 or later: 

    dnf upgrade pam authselect libpwquality
    dnf upgrade pam authselect libpwquality

Before you Begin Password Policy Implementation

Before you begin implementing password policies, you must configure system security services daemon and create/deploy a custom authselect profile.

Configure System Security Services Daemon (SSSD)

  1. Configure the SSSD configuration file /etc/sssd/sssd.conf as follows:

    [sssd]
    domains =
    config_file_version = 2
    services = nss, pam
    enable_files_domain = true

    [domain/local]
    id_provider=files
    This step sets the value of enable_files_domain to true for the SSSD in TufinOS 4. If you have different security measures that are not covered in this document, refer to the Rocky LInux /RHEL 8 documentation.

  2. Change the owner and permission for the SSSD configuration file:

    chown root:root /etc/sssd/sssd.conf
    chown root:root /etc/sssd/sssd.conf
    chmod 600 /etc/sssd/sssd.conf
    chmod 600 /etc/sssd/sssd.conf

  3. Restart the SSSD service and check the service status:

    systemctl restart sssd.service
    systemctl restart sssd.service
    systemctl status sssd.service
    systemctl status sssd.service

Create/Deploy a Custom "authselect" Profile

  1. Create a custom profile tufin-password-policy based on the ready-made sssd profile:

    authselect create-profile tufin-password-policy -b sssd --symlink-meta --symlink-pam
    authselect create-profile tufin-password-policy -b sssd --symlink-meta --symlink-pam

  2. To override the current profile, use this command:

    authselect select custom/tufin-password-policy --force
    authselect select custom/tufin-password-policy --force

  3. Check the custom profile with custom/tufin-password-policy:

    authselect current
    authselect current
    authselect check
    authselect check

Set a Password Policy to Keep a History of Used Passwords

Enable Password History

  1. Enable the pam_pwhistory module and update the PAM stack using the command:

    authselect enable-feature with-pwhistory
    authselect enable-feature with-pwhistory

  2. Confirm that the changes have been applied to the global PAM files:

    authselect current
    authselect current
    grep "pam_pwhistory" /etc/pam.d/{password,system}-auth
    grep "pam_pwhistory" /etc/pam.d/{password,system}-auth

Configure Password History Using pwhistory.conf

  1. Set the number of passwords to remember in the configuration file /etc/security/pwhistory.conf.

    Locate the remember = setting in the configuration file to set the number of passwords to remember. (Uncomment the setting if it is commented out.). You can set any required number in this procedure we set:

    remember = 5
    remember = 5

  2. In this directory -/etc/authselect/custom/tufin-password-policy/ - edit these files

    • password-auth

    • system-auth

    and remove the remember=5 from both of them:

    The options on the pam_pwhistory.so line in the global PAM files /etc/pam.d/*-auth, override the settings in /etc/security/pwhistory.conf. To use the settings in pwhistory.conf, modify the global PAM configuration files as follows (the procedure uses the custom profile tufin-password-policy).

    Before:

    ...output omitted...
    password    requisite     pam_pwhistory.so remember=5 use_authtok
    ...output omitted...

    After: 

    ...output omitted...
    password    requisite     pam_pwhistory.so use_authtok
    ...output omitted...

  3. Once the changes are made to the global PAM configuration files, use this command to apply the changes:

    authselect apply-changes
    authselect apply-changes

  4. Confirm that the changes have been applied to the global PAM files:

    grep "pam_pwhistory" /etc/pam.d/{password,system}-auth
    grep "pam_pwhistory" /etc/pam.d/{password,system}-auth

    The output should be without the remember= in the pam_pwhistory.so line:

    /etc/pam.d/password-auth:password    requisite        pam_pwhistory.so use_authtok
    /etc/pam.d/system-auth:password    requisite        pam_pwhistory.so use_authtok

Set Password Complexity/Policy with pam_pwquality

The pam_pwquality module is enabled by default in all SSSD profiles. See man pam_pwquality for full details. Set the appropriate options in the file /etc/security/pwquality.conf. See man pwquality.conf for more options.

Insert the following options in /etc/security/pwquality.conf:

  • Enforce password complexity for root:

    enforce_for_root
    enforce_for_root

  • Password size (minimum acceptable length for the new password): 

    minlen = 9 
    minlen = 9

  • Maximum credit for having digits in the password: 

    dcredit = -1
    dcredit = -1

  • Maximum credit for having uppercase characters in the password: 

    ucredit = -1
    ucredit = -1

  • Maximum credit for having lowercase characters in the password: 

    lcredit = 1
    lcredit = 1

  • Maximum credit for having other characters in the password:

    ocredit = 1
    ocredit = 1
    Note on credits: The credit values configured for dcredit, ucredit, lcredit and ocredit are only for illustrative purposes. The credit values can be configured in different ways according to requirements. The credit values can be set as follows:

    • Credit Value > 0: Maximum credit for having respective characters in the new password.

    • Credit Value < 0: Minimum mandatory credit required for having respective characters in the new password.

    • Credit Value = 0: No mandatory requirement for having the respective character class in the new password.

  • Minimum number of required character classes in the password: 

    minclass = 1
    minclass = 1

  • Maximum number of allowed consecutive same characters in the password: 

    maxrepeat = 2
    maxrepeat = 2

  • Maximum number of allowed consecutive characters of the same class in the password: 

    maxclassrepeat = 2
    maxclassrepeat = 2

  • Set the number of characters from the old password that must not be present in the new password: 

    difok = 5
    difok = 5
    This option will not work for root as root is not asked for an old password; the checks that compare the old and new password are not performed.

Working with faillock

Enable/Disable faillock

  • To enable faillock:

    authselect enable-feature with-faillock
    authselect enable-feature with-faillock

  • To check/verify current settings:

    authselect current
    authselect current
    authselect check
    authselect check

  • To disable faillock: 

    authselect disable-feature with-faillock
    authselect disable-feature with-faillock

Configure faillock

faillock options should be stored in /etc/security/faillock.conf:

deny=3
unlock_time=1200
silent

Using the faillock Command

To reset/view authentication failure records, use commands like the following:

  • Display authentication failure records for username:

    faillock --user username
    faillock --user username

  • Reset authentication failure records for username:

    faillock --user username --reset
    faillock --user username --reset

Lock out the Root User

To lock out the root user, add even_deny_root to /etc/security/faillock.conf.

Exclude Specific Users from the Account Lock

To disable a regular user from being locked out even after multiple failed logins, add the user to a user group (for example: no_faillock_group), and then add the following line to faillock.conf:

admin_group=no_faillock_group
admin_group=no_faillock_group

Handle Persistent Account Lockouts

The default directory that pam_faillock uses is usually cleared on system boot so the access will be also reenabled after the system reboot. If that is undesirable, set the dir= option in faillock.conf:

dir=/var/log/faillock
dir=/var/log/faillock

Ensure the directory is created:

mkdir /var/log/faillock
mkdir /var/log/faillock

Rollback Configurations

  • To rollback configurations, follow the steps in this topic in reverse order.

  • To remove a custom profile, remove it manually from the system:

    rm -rf  /etc/authselect/custom/tufin-password-policy/
    rm -rf /etc/authselect/custom/tufin-password-policy/
    ls -l  /etc/authselect/custom/
    ls -l /etc/authselect/custom/
    authselect list
    authselect list