Password Complexity Settings

Make sure that the setting are system-auth-ac instead of system-auth so that the settings are not over written when authconfig is used. 

Another way to make sure that other scripts/programs do not make changes to the system_auth file, thus overriding the new settings. (A good example of this is the authconfig script.) To prevent this we need to make the system_auth file immutable. We do this using ‘chattr’: (This marks the /etc/pam.d/system-auth file immutable.)

chattr +i /etc/pam.d/system-auth
touch /var/log/tallylog
cat << 'EOF' > /etc/pam.d/system-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. # # Force Capital Characters In Passwords - ucredit=-X, where X is the number of capital characters required in password. # Force Lower Case Characters In Passwords - lcredit=-X, where X is the number of lower case characters required in password. # Force Numbers In Passwords - dcredit=-X, where X is the number numbers required in password. # Force The Use Of Symbols In Passwords - ocredit=-X, where X is the number of symbols required in password. # Force Number Of Retries - retry=X, where X is the number of retries. # Force Remember - remember=X, where X is the number of password remembered. # Force character changes In Password - difok=X, where X is the number of charachter changes required in password between the old and new password. # Force Deny - deny=X, where X is the number of tally2 for the user exceeds. # Force - unlock_time=X, where X is seconds allowed before access after failed attempt. auth required pam_env.so auth required pam_tally2.so deny=3 unlock_time=1800 onerr=fail audit auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so cached_login use_first_pass require_membership_of=wheel auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account sufficient pam_winbind.so cached_login account required pam_permit.so account required pam_tally2.so password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=8 password sufficient pam_winbind.so cached_login use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so skel=/etc/skel umask=0022 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so EOF
cat << 'EOF' > /etc/pam.d/login
#%PAM-1.0
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
auth       required     pam_tally2.so per_user
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    optional     pam_keyinit.so force revoke
session    required     pam_loginuid.so
session    include      system-auth
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
EOF

The file /var/log/tallylog is a binary log containing failed login records for pam. You can see the failed attempts by running the pam_tally2 command without any options, and unlock user accounts early by usingpam_tally2 --reset -u username