Password Complexity Settings

Make sure that the setting are system-auth-ac instead of system-auth so that the settings are not over written when authconfig is used. 

Another way to make sure that other scripts/programs do not make changes to the system_auth file, thus overriding the new settings. (A good example of this is the authconfig script.) To prevent this we need to make the system_auth file immutable. We do this using ‘chattr’: (This marks the /etc/pam.d/system-auth file immutable.)

chattr +i /etc/pam.d/system-auth
touch /var/log/tallylog
cat << 'EOF' > /etc/pam.d/system-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. # # Force Capital Characters In Passwords - ucredit=-X, where X is the number of capital characters required in password. # Force Lower Case Characters In Passwords - lcredit=-X, where X is the number of lower case characters required in password. # Force Numbers In Passwords - dcredit=-X, where X is the number numbers required in password. # Force The Use Of Symbols In Passwords - ocredit=-X, where X is the number of symbols required in password. # Force Number Of Retries - retry=X, where X is the number of retries. # Force Remember - remember=X, where X is the number of password remembered. # Force character changes In Password - difok=X, where X is the number of charachter changes required in password between the old and new password. # Force Deny - deny=X, where X is the number of tally2 for the user exceeds. # Force - unlock_time=X, where X is seconds allowed before access after failed attempt. auth required auth required deny=3 unlock_time=1800 onerr=fail audit auth sufficient nullok try_first_pass auth requisite uid >= 500 quiet auth sufficient cached_login use_first_pass require_membership_of=wheel auth required account required broken_shadow account sufficient account sufficient uid < 500 quiet account sufficient cached_login account required account required password requisite try_first_pass retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 password sufficient md5 shadow nullok try_first_pass use_authtok remember=8 password sufficient cached_login use_authtok password required session optional revoke session required session optional skel=/etc/skel umask=0022 session [success=1 default=ignore] service in crond quiet use_uid session required EOF
cat << 'EOF' > /etc/pam.d/login
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
auth       include      system-auth
auth       required per_user
account    required
account    include      system-auth
password   include      system-auth
# close should be the first session rule
session    required close
session    optional force revoke
session    required
session    include      system-auth
session    optional
# open should only be followed by sessions to be executed in the user context
session    required open

The file /var/log/tallylog is a binary log containing failed login records for pam. You can see the failed attempts by running the pam_tally2 command without any options, and unlock user accounts early by usingpam_tally2 --reset -u username