Linux等保密码策略

• 1. sudo限制
• 2. 密码试探锁定
• • 2.1 centos7
  • 2.2 ubuntu 1804
• 3. 密码失效

禁止普通用户sudo ALL=(ALL)

for i in `grep ALL= /etc/sudoers |grep -Ev '#|root|wheel'|awk '{print $1}'`;do 
    sed -i "/$i/d" /etc/sudoers; 
    done

10分钟没操作自动登出shell
密码长度10位以上,需要大小写,数字,字符
登录失败5次,锁定账号.锁定时间10分钟.

cp /etc/pam.d/sshd{,.bak}
sed -ri 's#.*pam_nologin.so#auth required pam_tally2.so even_deny_root deny=5 unlock_time=600 root_unlock_time=600#' /etc/pam.d/sshd
cp /etc/pam.d/system-auth{,.bak}
sed -i '/pam_pwquality.so/d' /etc/pam.d/system-auth
echo "password    requisite     pam_pwquality.so  try_first_pass local_users_only retry=5 difok=3 minlen=10 ucredit=-1 lcredit=-3 dcredit=-1 ocredit=-1" >> /etc/pam.d/system-auth

echo "export TMOUT=600" >>/etc/profile
source /etc/profile

apt install libpam-cracklib -y
cp /etc/pam.d/common-password{,.bak}
sed -i '2ipassword requisite pam_cracklib.so retry=5 minlen=10 difok=3 ucredit=-1 lcredit=-3 dcredit=-1 ocredit=-1' /etc/pam.d/common-password
cp /etc/pam.d/sshd{,.bak}
sed -i "2iauth required pam_tally2.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600" /etc/pam.d/sshd
echo "export TMOUT=600" >>/etc/profile
cp /etc/profile{,.bak}
source /etc/profile

密码90天失效
密码至少10位

cp /etc/login.defs{,.bak}
sed -Eri 's/^(PASS_MAX_DAYS).*/1   90/' /etc/login.defs
sed -Eri 's/^(PASS_MIN_LEN).*/1    10/' /etc/login.defs