[SOLVED] CentOS-6.x equivalent to /etc/security/policy.conf

Support for security such as Firewalls and securing linux
Post Reply
User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

[SOLVED] CentOS-6.x equivalent to /etc/security/policy.conf

Post by warron.french » 2016/02/10 21:09:57

Is there a CentOS/Linux equivalent to the Solaris 10 SPARC file - /etc/security/policy.conf

This file allows the administrator to set many system-specific security specifications.

For example, there is a variable called CRYPT_ALGORITHMS_ALLOW

Here is a real-world example
CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6; where:

1 = BSD m5
2a = BSD Blowfish
md5 = SUN’s MD5
5 = sha-256, and of course
6 = sha-512

and if you remove 1,2a,md5 and 5 that would mean that any accounts in /etc/shadow with a $1 or $2a or $5 would not be allowed; only $6 = sha-512 would be allowed for valid password hashes on that system/

Also, in this file, among many other things you can set the CRYPT_DEFAULT variable; and on my server (as of recent changes required) I now have in that file:
CRYPT_DEFAULT=6
Last edited by warron.french on 2016/03/09 22:16:42, edited 1 time in total.
Thanks,
War

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: CentOS-6.x equivalent to /etc/security/policy.conf

Post by aks » 2016/02/12 19:20:46

Yes that offers more. There's not an quaivalent that offers all those things.
To set your algorithm for users look in /etc/sysoncfig/* ( I seems to recall t was something like useradd, but could be wrong). Anyway you set a specific algo., not a range of ("un-connected") algos.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS-6.x equivalent to /etc/security/policy.conf

Post by TrevorH » 2016/02/12 21:56:37

Worth reading man login.defs
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: CentOS-6.x equivalent to /etc/security/policy.conf

Post by warron.french » 2016/02/16 19:40:36

Thanks to you both!
Thanks,
War

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: CentOS-6.x equivalent to /etc/security/policy.conf

Post by warron.french » 2016/02/16 19:43:54

aks, getting back to you immediately, would the file in /etc/sysconfig be authconfig perchance?

TrevorH, I am looking into your suggestion now.
Thanks,
War

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: CentOS-6.x equivalent to /etc/security/policy.conf

Post by warron.french » 2016/02/16 19:46:23

TrevorH, I found the reference in the man page on /etc/login.defs; thank you.

Does anyone know which decides:
1. /etc/login.defs or
2. /etc/sysconfig/authconfig

Does one take a higher precedence over the other?
Thanks,
War

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: CentOS-6.x equivalent to /etc/security/policy.conf

Post by aks » 2016/02/18 18:32:58

I don't really know.
What I can say is this:

The original idea of the sysconfig/* subtree (which systemd is making in-roads to removing) is so that one can make local changes to a file that is not part of the RPM. So when you update a package (a RPM), the files that are included as part of the RPM do not conflict with locally modified items (all files in an RPM are MD5 hashed). So if you modify a file that is part of an RPM, when you updated the package, the new file would be named <original_filename>.rpmsave and would not be active. This is to stop RH from overwriting local changes - it's also the reason for the conf.d directories used all over the system.

So I'd guess sysconfig stuff would be more "preferred" - but as I say, I don't know and would have to experiment to find out (which I can't be bothered with doing right now....)

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: CentOS-6.x equivalent to /etc/security/policy.conf

Post by warron.french » 2016/02/19 13:12:31

aks,
thanks for the reply.
Thanks,
War

Post Reply