Creating a Default Policy for Security

deal with all the PAM applications that don't have their own configuration files. If you really want to know whether your system is secure, give it the contents shown in Listing 5-5.

Listing 5-5. Configuring PAM for Security in /etc/pam.d/other

auth

required

pam warn.

so

auth

required

pam_deny.

so

account

required

pam warn.

so

account

required

pam deny.

so

password

required

pam warn.

so

password

required

pam_deny.

so

session

required

pam warn.

so

session

required

pam_deny.

so

For all of the four phases in the authentication process, two modules are called. The first is the module pam_warn: it will generate a warning and write that to your log environment (/var/ log/messages by default). Next, for all of these instances, the module pam_deny is called. This simple module will just deny everything. The results? All modules will handle authentication properly, as defined in their own configuration file, but when that is absent, this generic configuration will make sure no trouble is happening.

Tip Want to know whether a program is PAM enabled? Use ldd programname, such as ldd /usr/bin/ passwd, to find out the library files used by this command. If the modules libpam_misc and libpam are listed, the module is PAM enabled. In that case, it should have its own configuration file.

Was this article helpful?

0 0

Post a comment