How to enforce password policies for UNIX users with CA Privileged Identity Manager

Document ID : KB000011510
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

With PIM it is possible to enable and enforce password policies for UNIX user.

Question:

How do you enforce password policies for UNIX users with CA Privileged Identity Manager?

Environment:
All Unix
Answer:

With PIM it is possible to enable and enforce password policies for UNIX users the following way:

 

1. Activate password quality checking and define password rules 

The following selang commands activate password quality checking and define password rules that enforce a minimum of

- Six alphanumeric characters

- Three lowercase characters

- Two numeric characters

> setoptions class+ (PASSWORD)

> setoptions password(rules(alpha("6") lowercase("3") numeric("2")))

See all the other defined password rules with this command

> so list

 

2. Replace the native passwd utility with sepass

In a root shell enter these commands

# which passwd

# mv /usr/bin/passwd /usr/bin/passwd.original

# ln -s /opt/CA/AccessControl/bin/sepass /usr/bin/passwd

 

(adjust the specific locations accordingly)

Note, only sepass ensures that the new password matches CA PIM password policies. And only sepass updates the database with the new password and the date on which the password was changed. In addition, sepass performs the same functions as /bin/passwd.

 

3. Shutdown PIM and enable automatic calling of segrace in seos.ini

# secons -s

# seini -s pam_seos.call_segrace yes /opt/CA/AccessControl/seos.ini

# seload

(alternatively you can also set the relevant token in the seos.ini accordingly)

 

4. Enable automatic calling of segrace by putting this command in /etc/profile or /etc/profile.CA

/opt/CA/AccessControl/bin/segrace -d

(this step is necessary for e.g. ssh logins)

 

5. Test that all is working as expected by creating a testuser and forcing password change upon first login

Create the user in selang

> nu testuser grace(1) password(password)

Logon to the local host as testuser and confirm the password policy is enforced accordingly.