Tuesday, February 28, 2012

Enforcing to set Strong password in Linux

From release 4, RedHat comes with a Pam module called "pam_cracklib" using which we can enforce the user to set Strong password.

Lets say we have to set the Password requirement as follows:
Minimum length of password should be 8
Minimum number of lower case letters should be 1
Minimum number of upper case letters should be 2
Minimum number of digits should be 2
Minimum number of other characters should be 1
To setup these password restrictions, edit the /etc/pam.d/system-auth file and add/change the following pam_cracklib arguments highlighted in bold:
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

Now verify that the new password restrictions work for new passwords for normal user. To test it, simply login as a non-root user and change the password using the 'passwd' command. Note that the above requirements are not enforced if you run the 'passwd' command under root. 

Settings in tabular form:
pam_cracklib.sominlen=8Minimum length of password is 8
pam_cracklib.solcredit=-1Minimum number of lower case letters is 1
pam_cracklib.soucredit=-2Minimum number of upper case letters is 2
pam_cracklib.sodcredit=-2Minimum number of digits is 2
pam_cracklib.soocredit=-1Minimum number of other characters is 1

Friday, February 3, 2012

Commands to get the PCI device information

# lspci
# lspci -v
# kudzu -p
# dmidecode --type 9
# lshw -short  (3rd party utility, package needs to be installed)

Wednesday, February 1, 2012

Steps to handle a Read-Only file-system problem

Try these commands at your own risk !

Lets assume the device name of the mounted file-system on "/data1" which got into Read-only mode is "/dev/sda5".
#  mount -o remount,rw /data1   (provided fstab have the entry for mount point)
If this works, well and good. Otherwise you need to go through the pain of trying the following commands:
#  hdparm -r 0 /dev/sda5           <-- To turn-off the Read-only mode.
 # blockdev --setrw /dev/sda5   <-- To set the block (mounted) device to Read-Write mode.
If the above commands didn't the fix the problem, then go with the regular fix:
1. Check the processes that are accessing the mount point.
2. Request the process/application owner to stop the processes that are accessing the mount point.
3. Try to un-mount the filesystem (without any option).
4. Mount the file-system back on its mount point.
5. If Step 4 didn't work,  run a fsck on the un-mounted file-system (without any option).Otherwise continue Step 6.
6. Verify the mounted file-system is in Read-Write mode.
Incase if the step 3 doesn’t work:
i)  Check the processes again that are accessing the mount point and ask the Application owner to confirm that the stopped the services properly and ask them to kill any hung sessions.
ii)    Try to unmount again without any option.
iii)   If it still didn’t work, use lazy option “umount -l”   (if this works, continue from Step 4).
iv)   If lazy option didn’t work, we are in a chaotic  situation.  Try Forced un-mount by using “umount -f”  & continue from Step 4.
v)    After the above step, incase you couldn’t mount the file-system back, the best choice would be to go for a System reboot. (I’m not sure in this situation, forced Mount using ‘mount -f’ will work). 

PS: Please note this procedure will not be applicable for OS file-systems such as /, /var, /opt etc. In that case, a system reboot would be the only solution, if the remount doesn't work.