VMware Cloud Community
Dimitar
Contributor
Contributor
‎08-21-2008 09:19 PM

Password history enforcement/acc lockout

Hi,

Guys, did anoone know how to setup the password history enforcement, account lockout, min/max pass leight and maximun password age on our ESX 3.5 Server.

I have Vcenter 2.5 with 2xESX 3.5 Servers and they are running like a charm for the last 4 months. My Manager told me to fix the security as much as i can.

The second question is how to setup a logon warning banner on each ESX Server, for example: "Warning: this sytem is restricted for use of autorized users only"

Any help is appreciated. Thank you.

0 Kudos
3 Replies
Texiwill
Leadership
Leadership
‎08-22-2008 03:28 AM

Hello,

Moved to the Security and Compliance Forum.

Guys, did anoone know how to setup the password history enforcement, account lockout, min/max pass leight and maximun password age on our ESX 3.5 Server.

You will want to use pam_tally.so to lock out accounts if too many bad passwords, use pam_passwdqc.so for password complexity. chage to set min/max passwd length per user and password age and history enforcement. The steps to use these are defined in the DISA STIG SRR ().

The second question is how to setup a logon warning banner on each ESX Server, for example: "Warning: this sytem is restricted for use of autorized users only"

Depends on where you want to place this? There are several locations.... The main one is /etc/issue on the ESX server, but you should have the same on VC and any other access methodology. This is covered in the CIS Security Linux Benchmark as well.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
vmwareluverz
Contributor
Contributor
‎08-22-2008 06:16 AM

You can also consult p. 15 on Tripwire ConfigCheck guide in more details.

This test verifies that accounts defined in /etc/shadow have a maximum passwords age that is less than or equal to 90 days. It is a best

practice to change passwords frequently and this test checks for the default maximum password age. This setting should be tailored to

match the password policy for your environment.

REMEDIATION

To remediate failure of this policy test, set the maximum number of days a password remains valid to less than or equal to

90 days.

Setting the maximum number of days a password remains valid to less than or equal to 90 days:

1. Login to the Service Console via SSH using a non-privileged account.

2. Use the command su - and enter the root password.

3. Run the chage -M <number_of_days> <username> command where <number_of_days> is less than or equal to 90 and

<username> is the account with the wrong password aging settings.

*

Note: The instructions above configure the password aging policy for a specific account. Reset the global password aging

*

policy used for new accounts with the esxcfg-auth --passmaxdays=<number_of_days> command.

0 Kudos
Dimitar
Contributor
Contributor
‎08-22-2008 11:26 AM

Thank you guys,

I will follow the instuctions and will read all documentations that you refer at your posts.

Thanks again

0 Kudos