Harden PAM (User Authentication)
Upon completing all the other settings, it's time to configure PAM for local user authentication. This section guides you on how to harden PAM.
Identified Threats
These are the identified threats related to Debian Software.
(T-27) Installation Allowed Non-Obfuscated Password for Local Accounts
During Installation, the installer allows non-obfuscated password setup for PAM which exposes user-specific password to local read/write.
(T-28) Installation Allowed Non-Encrypted Password for Local Accounts
During Installation, the installer allows non-encrypted password setup for PAM which exposes user-specific password to local read/write.
(T-29) Installation Did Not Setup and Enforces 2nd-Factor Authentication
By default, the installer does not install any 2nd-factor authentication and does not enforces it.
(T-30) Everyone Can Drop into Root Account using Su
There is no enforcement or limitation for any users to drop into root account using su.
(T-31) Sudo is Installed Regardless Being Used Or Otherwise
Sudo is installed regardless on whether it will be used or otherwise.
(T-32) Missing Policies for Undefined PAM Applications
For PAM supported application that are not listed (undefined), there are no default policy to guard against it.
(T-33) User Can Read and Access Everything inside The OS
Users' read and access permissions are not configured with limitations.
(T-34) User Can Read and Access Other User's Data
By default, users are allowed to read other users' data.
(T-35) Idle Users Are Left Connected After A Long Time
By default, there is no mechanism to timeout idling users, leaving the connection open for any unattended hijacks.
(T-36) User Activities Are Not Audited
By default, there is no auditing tools setup to monitor users' activities.
(T-37) Users Without Administrator Rights Can Perform Administration Activities
By default, any user can performs administration activities without needing to get into su/sudo mode.
(T-38) FTP Is Installed and Enabled by Default
By default, the unsecured FTP is installed.
(T-39) Users Are Not Limited to Use Full OS' Resources
By default, any users can use computer resources (e.g. cpu, memory, storage) without limitations.
(T-40) User's Tmp Directory is Not Implemented
By default, user-specific tmp directory is not setup properly.
(T-41) Root Account Is Login Capable
By default, root account can be logged in like a user account.
Actions Required
Here are the list if actions to counter the issues.
Ensure obscure and sha512 Exists in /etc/pam.d/common-password
password [success=1 default=ignore] pam_unix.so obscure minlen=12 sha512 ...If there are existing users, one must have all the passwords reset to match the latest passwords.
Install libpam-cracklib
To enforce many of the strong policies, one can install libpam-cracklib package which setup most of the requirements easily. This library actually needs the following packages to work properly so issue the command as follows:
$ apt install wbritish-huge wamerican-huge wnorwegian wngerman wswedish wfrench witalian wspanish wcanadian-huge wcatalan miscfiles wgerman-medical wportuguese wukrainian wgalician-minimos wfaroese wpolish wswiss wogerman wesperanto wdutch wdanish wbrazilian wbulgarian libpam-cracklibNow you can verify the /etc/pam.d/common-password, it should be configured to:
- IMPORTANT NOTE:
- Be sure to install
libpam-cracklibfirst or you will not be able to log in - The example below uses:
- 3 retires attempts (retry=3)
- 16 characters minimum (minlen=16)
- 3 minimum character changes in new password (difok=3)
- 1 minimum UPPERCASE character (ucredit=-1)
- 2 minimum lowercase characters (lcredit=-2)
- 2 minimum digit characters (dcredit=-2)
- 2 minimum symbol characters (ocredit=-2)
- Be sure to install
password required pam_cracklib.so retry=3 minlen=16 difok=3 ucredit=-1 lcredit=-2 dcredit=-2 ocredit=-2password [success=1 default=ignore] pam_unix.so obscure minlen=12 sha512 use_authokVERY IMPORTANT NOTE
Once the setup is done, all users must reset their passwords according to the password policy before rebooting the system. Otherwise, it is impossible to login without entering recovery mode.
Setup 2FA from a List
To enable 2FA, one can install one or many of the following PAM library:
- libpam-google-authenticator - 6 digit time-based OTP
- libpam-poldi - Authentication using a OpenPGP Smart Card
- libpam-yubico - Two-factor password and YubiKey OTP PAM module
Then, create the 2FA PAM settings inside /etc/pam.d/<2fa>-auth. Example, for Google Authenticator, the filepath is: /etc/pam.d/google-auth with the following contents:
## /etc/pam.d/google-auth - use of google authenticator## This is to add google authenticator verification as a 2FA# feature in machine.## nullok is added to ensure users without google authenticator# setup can also login.auth required pam_google_authenticator.so nullokThen, add the 2FA into instruction into applicable PAM settings after the @include common-auth statement. Feasible files are:
/etc/pam.d/login/etc/pam.d/sshd/etc/pam.d/lightdm
Here is an example for /etc/pam.d/login:
...# Standard Un*x authentication.@include common-auth@include google-auth...Attention: not all desktop manager supports 2FA prompt. Please check before applying the 2FA elements. Otherwise, you can't login into the machine.
Uninstall Sudo If Unused
One can remove sudo if the system is opting for su account implementation.
$ apt autoremove --purge sudo -yTo ensure shell script compatibility, one should add the alias into /etc/profile:
if [ "$(type -p sudo)" == "" ]; then export sudo=""fiAdd Default PAM Policy
One should add default policy for undefined PAM compatible applications into /etc/pam.d/other:
auth required pam_securetty.soauth required pam_unix_auth.soauth required pam_warn.soauth required pam_deny.soaccount required pam_unix_acct.soaccount required pam_warn.soaccount required pam_deny.sopassword required pam_unix_passwd.sopassword required pam_warn.sopassword required pam_deny.sosession required pam_unix_session.sosession required pam_warn.sosession required pam_deny.soControl User Group for System-wide and Home Directory
Audit user groups and set the user permissions appropriately. Alternatively, one can install libpam-chroot package and apply the configurations appropriately in /etc/pam.d/.
This is also applicable to each users' /home directory where it should only be accessible by themselves only.
Purge FTP from System
Purge FTP from the system and replaces it secured tools with secured tools like SSHFS:
$ apt autoremove --purge vsftpd -yAudit Login Policy
Ensures /etc/login.defs has the following:
FAILLOG_ENAB yesLOG_UNKFAIL_ENAB noSYSLOG_SU_ENAB yesSYSLOG_SG_ENAB yesENCRYPT_METHOD SHA512Create Wheel Group to Restrict Su Access
To restrict su account restriction, one can create wheel usergroup and apply to PAM policy.
$ addgroup wheel$ groupmems -g wheel -a "root" $ groupmems -g wheel -a "username" Once done, edit /etc/pam.d/su to have:
auth required pam_wheel.so group=wheel debugInstruct Apt to set /usr back to Write permission for Apt Update and Upgrade
Disable su account in /etc/security/access.conf by uncommenting:
-:wheel:ALL EXCEPT LOCAL 2Apply pam_access.so to appropriate configurations in /etc/pam.d/
Restrict User Resources and Limitations
Configure PAM users' resources limitation in /etc/security/limits.conf. Guide: https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#user-limits
Install Libpam-tmp
Install libpam-temdir:
$ apt install libpam-tmpdir -yEnsure /etc/pam.d/common-session has:
session optional pam_tmpdir.soDisable Root Account Login via PAM
To disable root account login, one can do it by implementing Disable User Account Login via PAM Script for root account.
That's all for hardening Debian by hardening PAM and user access.