1. Home
  2. Training Library
  3. Linux Security and Hardening | CSL4 A3.1 |

PAM Configuration Example

Start course
3h 21m

In this section, you’ll take a deep dive into Linux security. You’ll build your knowledge and skills through a comprehensive overview of the key areas that you need to know to secure Linux systems.

You’ll begin with Linux security in general before moving on to physical security and the countermeasures you can employ to protect your hardware. From there, you’ll explore authentication systems and the various account types on a Linux system, and how to secure each one. You'll also learn how to enforce strong passwords and manage account and password expirations.

In the networking section, you'll learn how to secure network services that run on Linux systems. You'll also learn how the local firewall works in Linux and how to configure it. You’ll learn about file system security and how permissions work in detail, including special modes, file attributes, and ACLs. You'll also discover what rootkits are, how to detect them, and how to remove them.

You’ll also find several security resources you can use to continue your security education and stay on top of the latest security issues for Linux distributions.

There are several knowledge checks as you go through these resources. These will help you identify any areas that you might need or want to review. At the end you’ll find a final exam, where you can test yourself on what you’ve learnt.

Learning Objectives

  • Get a general view of Linux security including roles, network services, encryption, accounts, and multifactor authentication
  • Learn specific strategies for mitigating physical security risks and protecting your Linux systems against the most common physical attacks
  • Learn about data encryption and how to implement it on new Linux systems, as well as those that are already in service
  • Understand the different types of accounts you'll find on a Linux system and the special precautions you need to take with each account type
  • Learn how to enforce good password security practices on your Linux systems
  • Learn about multi-factor authentication and how it can be implemented in Linux
  • Learn techniques and strategies to secure network services
  • Learn how to secure your files and directories on Linux through permissions, data sharing, special modes, file attributes, ACLs, and rootkits

Let's look at a sample PAM configuration. PAM configuration files like most other configuration files, use a hash mark or pound sign to indicate a comment. The first line in this file is a comment. The second line in the file is a directive. Auth is a module interface, required is the control flag, and pam_securetty.so is the authentication module. The three lines that start with auth are known as a stack. In this case, all three directives are required to succeed in order for authentication to be successful. The auth required pam_securetty line ensures that if the user is trying to log in as root, the tty on which the user is logging in is listed in the /etc/securetty file, if that file exists. If the tty is not listed in the file, any attempt to log in as root fails. The next line uses the pam_unix module. This module prompts the user for a password and then checks the password using the information stored in etc password and etc shadow. The nullok argument instructs the pam_unix module to allow blank passwords. The pam_login module is used to prevent non-root users from logging onto this system when either the etc/nologin or /var/run/nologin files are present. As a system administrator, you can use these files to keep people from logging into the system while you perform maintenance for example. When a user logs in, the contents of the nologin file will be displayed to them. Let's move on to the account required pam_unix.so line. The account interface of the pam_unix module performs any necessary account verification such as checking to make sure the account hasn't expired. If the password on the account has expired, the next line comes into play. It uses the pam_pwquality module with an argument of retry=3. This module prompts the user to enter a new password and then perform some quality tests on that password including to see if it's a dictionary word. If the password fails the quality test, the retry=3 argument tells the module to give the user two additional chances to create an acceptable password before returning with an error. The next line uses the password interface of the pam_unix module. The arguments are shadow\nullok and use_authtok. The backslash you see here is simply a line continuation character. If you were to place this on one line then you wouldn't need to use that backslash. The shadow argument tells pam_unix to use shadow passwords. The nullok argument allows a user to change their password from a blank password. If this argument isn't used, a null password is treated as a lock to count. The use_authtok argument tells the module not to prompt for a password, but to use any password that was gathered by a previous password module. This allows us to use the pam_pwquality module to enforce strong passwords. This particular example highlights the importance of the order in which PAM directives are listed. Finally, the last line of this configuration uses the session interface of the pam_unix module which logs when a user logs into or out of the system. If you want to understand exactly what a module does, what interfaces it supports, and what arguments it expects refer to its documentation. The simplest way to do this is to drop the .so extension which stands for shared object by the way, and then pass it as an argument to the man command. So if you want to read up on the pam_unix.so module documentation, you would run man pam_unix. We'll be coming back to PAM from time to time throughout this course. Now that you understand how PAM works in general, we can get into some specific account security measures and how you can go about creating configurations for those measures.

About the Author