cancel
Showing results for 
Search instead for 
Did you mean: 
Chetan_Tiwary_
Community Manager
Community Manager
  • 1,217 Views

Red Hat Linux Interview Series 23

Q.) How can you configure your VM to lock accounts after five failed login attempts, and to unlock after 15 minutes ?

 

Q.) With SELinux, how can you Confine users to prevent them from using the sudo and su commands ?

Bonus Q.) How can you prevent those users from running programs in their home directory? 

 

Q.) How will you patch 100 linux servers in the given single maintenance window ?

 

 

Level - L2 and above.

 

I'll be posting a series of Linux-related questions covering various skill levels. Feel free to share your insights and expertise. Your contributions will benefit learners at all stages, from those in current roles to those preparing for Linux interviews.

8 Replies
Trevor
Starfighter Starfighter
Starfighter
  • 1,113 Views

Question: How can you configure your VM to lock accounts after five failed login attempts, and to unlock after 15 minutes ?

 

Here are the steps:

1)  Edit the PAM configuration file for sytem-auth  -  use your favorite editor

       #  vi  /etc/pam.d/system-auth

2)  Locate the line that starts with  auth  [ default=1 ]  pam_unix.so ... and add the following paramete rs at the end of the line:

         auth  [ default=1 ]  pam_unix.so  remember=5   faillock=5

3)  Save and exit the file

4)  Edit the PAM configuration file for  password-auth:

      #  vi   /etc/pam.d/password-auth

5)  Locate the line that starts with  auth  [ default=1 ]  pam_unix.so ...  and add the following parameters at the end of the line:

        auth  [ default=1 ]  pam_unix.so  remember=5   faillock=5

6)  Save and exit the file

 

The  steps above will configure the Linux system to lock an account after 5 failed login attempts.  Now, let's see the steps to auto unlock the account 15 miinutes afterwards.

1)  Edit the file  /etc/pam.d/common-auth

2)  Add the following line to the file:

            auth required  pam_tally2.so  onerr=fail  deny=5  unlock_time=900

3)  Save and exit the file

4)  Restart the sshd service - to apply the changes for the first 6 steps, as well as the changes for the last 3 steps.

A little explanation for some of the pieces in the line added to the common-auth file:

     *  auth required  -  Specifies that the pam_tally2 module is required for
                                       authenticaiton

     *  onerr=fail  -  If an error occurs during authentication, the attempt is
                                considered a failure

     *  deny=5  -  The account will be locked after 5 failed attempts

     *  unlock_time=900  -  The account will be unloced after the lockout period of
                                            900 seconds  (15 minutes)

 

 

 

 

 

Trevor "Red Hat Evangelist" Chandler
Chetan_Tiwary_
Community Manager
Community Manager
  • 1,045 Views

Nice job explaining the configuration and the answer @Trevor !

Prasannan
Mission Specialist
Mission Specialist
  • 991 Views

Good explanation

0 Kudos
Trevor
Starfighter Starfighter
Starfighter
  • 1,112 Views

How to prevent users from executing the su and sudo commands, by using SELinux to confine them?

 

To confine users in SELinux, and prevent them from using su and sudo, the user
accounts need to be mapped to a specific-confined SELinux user, that limits the 
capabilities of the user account.  The SELinux user, "user_u", will provide this
limitation (i.e. restriction).

To confine a Linux user account, use the -Z option ,with the useradd command, to
explicitly map the user account to the "user_u" SELinux user.

Note:  Linux user accounts that are mapped to the SELinux user "user_u" , can only
perform actions allowed by the SELinux policy.  The SELinux policy prevents direct
execution of the sudo and su commands, by Linux user accounts that are mapped
to the SELinux user "user_u".

So, to achieve this restriction of su and sudo use, the following command should
be used when creating a Linux user account:

#   useradd  -Z  user_u  Linux-user-account
- This command will create a confined Linux user account
-  Use of the su and sudo command will be prohibited

 

 

 

 

 

 

Trevor "Red Hat Evangelist" Chandler
Trevor
Starfighter Starfighter
Starfighter
  • 1,111 Views

Bonus Q.) How can you prevent those users from running programs in their home directory? 

 

Hello Chetan, on this bonus question, did you want that accomplished
using SELinux?  I've got a couple of non-SELinux methods to make 
that happen if SELinux is not a requirement.

Trevor "Red Hat Evangelist" Chandler
Chetan_Tiwary_
Community Manager
Community Manager
  • 1,090 Views

Yes that bonus one is related to that corresponding Selinux question.
Trevor
Starfighter Starfighter
Starfighter
  • 956 Views

Here's my best whack at that bonus question.

To confine Linux user accounts from executing applications in their home directory, the first step is to modify the SELinux user that the account is mapped to. This is achieved via the following commands:

-    # semanage login -a -s user_u linux-user-account-name
-    # semanage login -m -s user_u linux-user-account name

Now, after this is done, there is an SELinux boolean that needs to be
set to off:   user_exec_content

That boolean can be set to off using the following command:

      # setsebool   -P  user_exec_content  off

 

Note:
By default, all Linux user accounts are mapped with to the default
SELinux user unconfined_u, which provides privilege across the entire
Linux system.  To protect the Linux system from user accounts that 
have virtually no restriction (SELinux unconfined_u), we can change
the default SELinux user from unconfined_u to user_u.

 

 

Trevor "Red Hat Evangelist" Chandler
Chetan_Tiwary_
Community Manager
Community Manager
  • 870 Views

@Trevor you got it !

0 Kudos
Join the discussion
You must log in to join this conversation.