Harden PAM (User Authentication)
Upon completing all the other settings, it's time to configure PAM for local user authentication. This section guides you on how to harden PAM.
Identified Threats
These are the identified threats related to Debian Software.
(T-27) Installation Allowed Non-Obfuscated Password for Local Accounts
During Installation, the installer allows non-obfuscated password setup for PAM which exposes user-specific password to local read/write.
(T-28) Installation Allowed Non-Encrypted Password for Local Accounts
During Installation, the installer allows non-encrypted password setup for PAM which exposes user-specific password to local read/write.
(T-29) Installation Did Not Setup and Enforces 2nd-Factor Authentication
By default, the installer does not install any 2nd-factor authentication and does not enforces it.
(T-30) Everyone Can Drop into Root Account using Su
There is no enforcement or limitation for any users to drop into root account using su.
(T-31) Sudo is Installed Regardless Being Used Or Otherwise
Sudo is installed regardless on whether it will be used or otherwise.
(T-32) Missing Policies for Undefined PAM Applications
For PAM supported application that are not listed (undefined), there are no default policy to guard against it.
(T-33) User Can Read and Access Everything inside The OS
Users' read and access permissions are not configured with limitations.
(T-34) User Can Read and Access Other User's Data
By default, users are allowed to read other users' data.
(T-35) Idle Users Are Left Connected After A Long Time
By default, there is no mechanism to timeout idling users, leaving the connection open for any unattended hijacks.
(T-36) User Activities Are Not Audited
By default, there is no auditing tools setup to monitor users' activities.
(T-37) Users Without Administrator Rights Can Perform Administration Activities
By default, any user can performs administration activities without needing to get into su/sudo mode.
(T-38) FTP Is Installed and Enabled by Default
By default, the unsecured FTP is installed.
(T-39) Users Are Not Limited to Use Full OS' Resources
By default, any users can use computer resources (e.g. cpu, memory, storage) without limitations.
(T-40) User's Tmp Directory is Not Implemented
By default, user-specific tmp directory is not setup properly.
(T-41) Root Account Is Login Capable
By default, root account can be logged in like a user account.
Actions Required
Here are the list if actions to counter the issues.
Ensure obscure and sha512 Exists in /etc/pam.d/common-password
password [success=1 default=ignore] pam_unix.so obscure minlen=12 sha512 ...
If there are existing users, one must have all the passwords reset to match the latest passwords.
Install libpam-cracklib
To enforce many of the strong policies, one can install libpam-cracklib
package which setup most of the requirements easily. This library actually needs the following packages to work properly so issue the command as follows:
$ apt install wbritish-huge wamerican-huge wnorwegian wngerman wswedish wfrench witalian wspanish wcanadian-huge wcatalan miscfiles wgerman-medical wportuguese wukrainian wgalician-minimos wfaroese wpolish wswiss wogerman wesperanto wdutch wdanish wbrazilian wbulgarian libpam-cracklib
Now you can verify the /etc/pam.d/common-password
, it should be configured to:
- IMPORTANT NOTE:
- Be sure to install
libpam-cracklib
first or you will not be able to log in - The example below uses:
- 3 retires attempts (retry=3)
- 16 characters minimum (minlen=16)
- 3 minimum character changes in new password (difok=3)
- 1 minimum UPPERCASE character (ucredit=-1)
- 2 minimum lowercase characters (lcredit=-2)
- 2 minimum digit characters (dcredit=-2)
- 2 minimum symbol characters (ocredit=-2)
- Be sure to install
password required pam_cracklib.so retry=3 minlen=16 difok=3 ucredit=-1 lcredit=-2 dcredit=-2 ocredit=-2
password [success=1 default=ignore] pam_unix.so obscure minlen=12 sha512 use_authok
VERY IMPORTANT NOTE
Once the setup is done, all users must reset their passwords according to the password policy before rebooting the system. Otherwise, it is impossible to login without entering recovery mode.
Setup 2FA from a List
To enable 2FA, one can install one or many of the following PAM library:
- libpam-google-authenticator - 6 digit time-based OTP
- libpam-poldi - Authentication using a OpenPGP Smart Card
- libpam-yubico - Two-factor password and YubiKey OTP PAM module
Then, create the 2FA PAM settings inside /etc/pam.d/<2fa>-auth
. Example, for Google Authenticator, the filepath is: /etc/pam.d/google-auth
with the following contents:
#
# /etc/pam.d/google-auth - use of google authenticator
#
# This is to add google authenticator verification as a 2FA
# feature in machine.
#
# nullok is added to ensure users without google authenticator
# setup can also login.
auth required pam_google_authenticator.so nullok
Then, add the 2FA into instruction into applicable PAM settings after the @include common-auth
statement. Feasible files are:
/etc/pam.d/login
/etc/pam.d/sshd
/etc/pam.d/lightdm
Here is an example for /etc/pam.d/login
:
...
# Standard Un*x authentication.
@include common-auth
@include google-auth
...
Attention: not all desktop manager supports 2FA prompt. Please check before applying the 2FA elements. Otherwise, you can't login into the machine.
Uninstall Sudo If Unused
One can remove sudo
if the system is opting for su account implementation.
$ apt autoremove --purge sudo -y
To ensure shell script compatibility, one should add the alias into /etc/profile
:
if [ "$(type -p sudo)" == "" ]; then
export sudo=""
fi
Add Default PAM Policy
One should add default policy for undefined PAM compatible applications into /etc/pam.d/other
:
auth required pam_securetty.so
auth required pam_unix_auth.so
auth required pam_warn.so
auth required pam_deny.so
account required pam_unix_acct.so
account required pam_warn.so
account required pam_deny.so
password required pam_unix_passwd.so
password required pam_warn.so
password required pam_deny.so
session required pam_unix_session.so
session required pam_warn.so
session required pam_deny.so
Control User Group for System-wide and Home Directory
Audit user groups and set the user permissions appropriately. Alternatively, one can install libpam-chroot
package and apply the configurations appropriately in /etc/pam.d/
.
This is also applicable to each users' /home
directory where it should only be accessible by themselves only.
Purge FTP from System
Purge FTP from the system and replaces it secured tools with secured tools like SSHFS:
$ apt autoremove --purge vsftpd -y
Audit Login Policy
Ensures /etc/login.defs
has the following:
FAILLOG_ENAB yes
LOG_UNKFAIL_ENAB no
SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
ENCRYPT_METHOD SHA512
Create Wheel Group to Restrict Su Access
To restrict su account restriction, one can create wheel
usergroup and apply to PAM policy.
$ addgroup wheel
$ groupmems -g wheel -a "root"
$ groupmems -g wheel -a "username"
Once done, edit /etc/pam.d/su
to have:
auth required pam_wheel.so group=wheel debug
Instruct Apt to set /usr back to Write permission for Apt Update and Upgrade
Disable su account in /etc/security/access.conf
by uncommenting:
-:wheel:ALL EXCEPT LOCAL 2
Apply pam_access.so to appropriate configurations in /etc/pam.d/
Restrict User Resources and Limitations
Configure PAM users' resources limitation in /etc/security/limits.conf
. Guide: https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#user-limits
Install Libpam-tmp
Install libpam-temdir:
$ apt install libpam-tmpdir -y
Ensure /etc/pam.d/common-session
has:
session optional pam_tmpdir.so
Disable Root Account Login via PAM
To disable root account login, one can do it by implementing Disable User Account Login via PAM Script for root account.
That's all for hardening Debian by hardening PAM and user access.