Files

File	Function
`/etc/pam.d/system-auth`
`/etc/pam.d/password-auth`

Faillock

Unsuccessful login attempts.

Check

sudo faillock

Unlock user

sudo faillock --user user

Examples

Limit access to `su`

su only allowed to wheel group.

/etc/pam.d/su
---
auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup wheel
auth required pam_wheel.so use_uid group=wheel
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-wheel-access

File that holds allowed users to move to

/etc/security/su-wheel-access
---
root

Disallow usage of system at certain hours

/etc/security/time.conf
---
login ; tty* & !ttyp* ; !root ; !Al0800-2200

login
tty* & !ttyp*
!root Except "root"
!Al0800-2200

man time.conf

password history

/etc/pam.d/password-auth & /etc/pam.d/system-auth
---
password sufficient pam_unix.so [...] remember=14

Configure password retries before error

/etc/pam.d/system-auth
---
password    requisite     pam_pwquality.so [...] retry=3 [...]

Show failed access

/etc/pam.d/system-auth
---
session     required      pam_lastlog.so showfailed

Inmutable bit just in case

sudo chattr +i /etc/pam.d/system-auth /etc/pam.d/password-auth

Security limits

man limits.conf

Check limits with ulimit -a

/etc/security/limits.conf
---
## Max open files for everybody
*           hard    nofile          512
## Max open files for user "user"
user        hard    nproc           20
## Max number of logins for group "sshusers"
@sshusers   -       maxsyslogins    2

Files

Faillock

Examples

Limit access to su

Disallow usage of system at certain hours

password history

Configure password retries before error

Show failed access

Inmutable bit just in case

Security limits

Limit access to `su`