Linux等保密码策略

1. sudo限制

禁止普通用户sudo ALL=(ALL)

for i in `grep ALL= /etc/sudoers |grep -Ev '#|root|wheel'|awk '{print $1}'`;do \
    sed -i "/$i/d" /etc/sudoers; \
    done

2. 密码试探锁定

10分钟没操作自动登出shell
密码长度10位以上,需要大小写,数字,字符
登录失败5次,锁定账号.锁定时间10分钟.

2.1 centos7

\cp /etc/pam.d/sshd{,.bak}
sed -ri 's#.*pam_nologin.so#auth required pam_tally2.so even_deny_root deny=5 unlock_time=600 root_unlock_time=600#' /etc/pam.d/sshd
\cp /etc/pam.d/system-auth{,.bak}
sed -i '/pam_pwquality.so/d' /etc/pam.d/system-auth
echo "password    requisite     pam_pwquality.so  try_first_pass local_users_only retry=5 difok=3 minlen=10 ucredit=-1 lcredit=-3 dcredit=-1 ocredit=-1" >> /etc/pam.d/system-auth

echo "export TMOUT=600" >>/etc/profile
source /etc/profile

2.2 ubuntu 1804

apt install libpam-cracklib -y
\cp /etc/pam.d/common-password{,.bak}
sed -i '2ipassword requisite pam_cracklib.so retry=5 minlen=10 difok=3 ucredit=-1 lcredit=-3 dcredit=-1 ocredit=-1' /etc/pam.d/common-password
\cp /etc/pam.d/sshd{,.bak}
sed -i "2iauth required pam_tally2.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600" /etc/pam.d/sshd
echo "export TMOUT=600" >>/etc/profile
\cp /etc/profile{,.bak}
source /etc/profile

3. 密码失效

密码90天失效
密码至少10位

\cp /etc/login.defs{,.bak}
sed -Eri 's/^(PASS_MAX_DAYS).*/\1   90/' /etc/login.defs
sed -Eri 's/^(PASS_MIN_LEN).*/\1    10/' /etc/login.defs