IBM Support

QRadar: Creating and Managing User Password Policies in RHEL for non-UI users

How To


Summary

QRadar UI user password policies are discussed in the QRadar Administrator Guide and can be found under the Admin screen under Authentication > Local Password Policy Configuration.

For Red Hat® Linux users who access the command line of the Console and managed hosts, policies can be set there as well. Password policy is done at the discretion of the QRadar system administrators. QRadar support does not have any best practices regarding password policies, although it is recommended to have your users change their password intermittently.

Note: This article is intended as informational content. Creating users and user password policies are not supported by IBM Security QRadar.

Objective

Linux administrators need to know how to configure password settings for command-line users since they are responsible for command-line access to the hosts. Policies are determined by each customer according to their requirements. This article provides basic how-to information to use as a reference.

Environment

Red Hat Enterprise Linux 7.x

Steps

This article is a guide for administrators who need to set password policies for command line users.

To set the Password Length requirements, use the authconfig command. The changes are made on the Console itself, which is applied to any attached host.

Password Complexity:

  • To set at least one lowercase character for password, type the command:
    authconfig --enablereqlower --update
  • To set at least one uppercase character for password, type the command:
    authconfig --enablerequpper --update
  • To set at least one digit for password, type the command:
    authconfig --enablereqdigit --update
  • To set at least one other or symbol character for password, type the command:
    authconfig --enablereqother –-update
  • To verify the password complexity setting after any of the authconfig commands are used, type the command:
    egrep "^lcredit|^ucredit|^dcredit|^ocredit" /etc/security/pwquality.conf

Setting a Password expiration date
This procedure allows a system to set date requirement for a system, which includes maximum days before a password needs to be changed, the minimum days before a password can be changes, the number of days before a warning is sent out. An administrator needs the appropriate permissions or SUDO privileges to make changes to these files.

  1. Use SSH to log in to the Console.
  2. If it does not already exit, create a backup directory by typing:
    ​mkdir -p /store/IBM_Support
  3. Back up the file login.defs by typing the command: 
    cp -p /etc/login.defs /store/IBM_Support
  4. Edit the file /etc/login.defs file and provide number of days per your requirement:
    • PASS_MAX_DAYS
    • PASS_MIN_DAYS
    • PASS_WARN_AGE
  5. To set the Maximum number of days the password is valid for, type the command:
    chage -M <# of days> <username>
  6. To set the Minimum number of days before a user is allowed to change the password again, type the command: 
    chage -m <# of days> <username>
  7. To set the number of days before an expiring password warning appears, type the command:
    chage -W <# of days> <username>
  8. Optional: If there are more than one existing users that need settings changes, administrators can add those users to a plain text file with one username per line. Then, use the for and loop commands, to manually set the policy by typing:
    for users in "grep -v users"; do chage -M 60 -m 1 -W 10 $users; done
     

Deny previously used passwords

This procedure explains how to set a password policy to deny previously used passwords. An administrator needs the appropriate permissions or SUDO priviledges to make changes to these files.
 

To configure your system to deny previously used passwords, administrators need to configure /etc/pam.d/system-auth and /etc/pam.d/password-auth.

  1. Use SSH to log in to the Console.
  2. Navigate to the directory /etc/pam.d by using the command:
    cd /etc/pam.d
  3. To back up the files system-auth and password-auth type:
    cp -p system-auth password-auth /store/IBM_Support/
    
  4. Use an editor and locate the line:
    password     sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
  5. Use the text editor to update the line:
    password     sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=#
    Where # is number of passwords in a users history to disallow.
  6. After the files system-auth and password-auth are saved, type the command:
    ​authconfig --update
    Note: Back up the files /etc/pam.d/system-auth and /etc/pam.d/password-auth. During a patch or update the authconfig --update command might run and restore the default files in /etc/pam.d.
    Results
    Password policies for non-UI users are set and configured based on an organizations requirement.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
20 October 2022

UID

ibm16573265