QRadar UI user password policies are discussed in the QRadar Administrator Guide and can be found under the Admin screen under Authentication > Local Password Policy Configuration.
For Red Hat® Linux users who access the command line of the Console and managed hosts, policies can be set there as well. Password policy is done at the discretion of the QRadar system administrators. QRadar support does not have any best practices regarding password policies, although it is recommended to have your users change their password intermittently.
Note: This article is intended as informational content. Creating users and user password policies are not supported by IBM Security QRadar.
This article is a guide for administrators who need to set password policies for command line users.
To set the Password Length requirements, use the authconfig command. The changes are made on the Console itself, which is applied to any attached host.
- To set at least one lowercase character for password, type the command:
authconfig --enablereqlower --update
- To set at least one uppercase character for password, type the command:
authconfig --enablerequpper --update
- To set at least one digit for password, type the command:
authconfig --enablereqdigit --update
- To set at least one other or symbol character for password, type the command:
authconfig --enablereqother –-update
- To verify the password complexity setting after any of the authconfig commands are used, type the command:
egrep "^lcredit|^ucredit|^dcredit|^ocredit" /etc/security/pwquality.conf
Setting a Password expiration date
This procedure allows a system to set date requirement for a system, which includes maximum days before a password needs to be changed, the minimum days before a password can be changes, the number of days before a warning is sent out. An administrator needs the appropriate permissions or SUDO privileges to make changes to these files.
- Use SSH to log in to the Console.
- If it does not already exit, create a backup directory by typing:
mkdir -p /store/IBM_Support
- Back up the file login.defs by typing the command:
cp -p /etc/login.defs /store/IBM_Support
- Edit the file /etc/login.defs file and provide number of days per your requirement:
- To set the Maximum number of days the password is valid for, type the command:
chage -M <# of days> <username>
- To set the Minimum number of days before a user is allowed to change the password again, type the command:
chage -m <# of days> <username>
- To set the number of days before an expiring password warning appears, type the command:
chage -W <# of days> <username>
- Optional: If there are more than one existing users that need settings changes, administrators can add those users to a plain text file with one username per line. Then, use the for and loop commands, to manually set the policy by typing:
for users in "grep -v users"; do chage -M 60 -m 1 -W 10 $users; done
Deny previously used passwords
This procedure explains how to set a password policy to deny previously used passwords. An administrator needs the appropriate permissions or SUDO priviledges to make changes to these files.
To configure your system to deny previously used passwords, administrators need to configure /etc/pam.d/system-auth and /etc/pam.d/password-auth.
- Use SSH to log in to the Console.
- Navigate to the directory /etc/pam.d by using the command:
- To back up the files system-auth and password-auth type:
cp -p system-auth password-auth /store/IBM_Support/
- Use an editor and locate the line:
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
- Use the text editor to update the line:
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=#Where # is number of passwords in a users history to disallow.
After the files system-auth and password-auth are saved, type the command:
authconfig --updateNote: Back up the files /etc/pam.d/system-auth and /etc/pam.d/password-auth. During a patch or update the authconfig --update command might run and restore the default files in /etc/pam.d.ResultsPassword policies for non-UI users are set and configured based on an organizations requirement.
Was this topic helpful?
20 October 2022