Appendix B: Sample Files

 # Login access control table. # # When someone logs in, the table is scanned for the first entry that # matches the (user, host) combination, or, in case of non-networked # logins, the first entry that matches the (user, tty) combination. The # permissions field of that table entry determines whether the login will # be accepted or refused. # # Format of the login access control table is three fields separated by a # ":" character: # #       permission : users : origins # # The first field should be a "+" (access granted) or "-" (access denied) # character. # # The second field should be a list of one or more login names, group # names, or ALL (always matches). A pattern of the form user@host is # matched when the login name matches the "user" part, and when the # "host" part matches the local machine name. # # The third field should be a list of one or more tty names (for # non-networked logins), host names, domain names (begin with "."), host # addresses, internet network numbers (end with "."), ALL (always # matches) or LOCAL (matches any string that does not contain a "." # character). # # If you run NIS you can use @netgroupname in host or user patterns; this # even works for @usergroup@@hostgroup patterns. Weird. # # The EXCEPT operator makes it possible to write very compact rules. # # The group file is searched only when a name does not match that of the # logged-in user. Both the user's primary group is matched, as well as # groups in which users are explicitly listed. # ############################################################################## # # Disallow console logins to all but a few accounts. # #-:ALL EXCEPT wheel shutdown sync:LOCAL # # Disallow non-local logins to privileged accounts (group wheel). # #-:wheel:ALL EXCEPT LOCAL .win.tue.nl # # Some accounts are not allowed to login from anywhere: # #-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL # # All other accounts are allowed to login from anywhere. # 

 # /etc/security/limits.conf # #Each line describes a limit for a user in the form: # #<domain> <type> <item> <value> # #Where: #<domain> can be: #         - a user name #         - a group name, with @group syntax #         - the wildcard *, for default entry # #<type> can have the two values: #         - "soft" for enforcing the soft limits #         - "hard" for enforcing hard limits # #<item> can be one of the following: #         - core - limits the core file size (KB) #         - data - max data size (KB) #         - fsize - maximum filesize (KB) #         - memlock - max locked-in-memory address space (KB) #         - nofile - max number of open files #         - rss - max resident set size (KB) #         - stack - max stack size (KB) #         - cpu - max CPU time (MIN) #         - nproc - max number of processes #         - as - address space limit #         - maxlogins - max number of logins for this user #         - priority - the priority to run user process with #         - locks - max number of file locks the user can hold # #<domain>           <type>            <item>             <value> # #*                   soft             core               0 #*                   hard             rss                10000 #@student            hard             nproc              20 #@faculty            soft             nproc              20 #@faculty            hard             nproc              50 #ftp                 hard             nproc              0 #@student            -                maxlogins          4 # End of file 

 # this is an example configuration file for the pam_time module. Its syntax # was initially based heavily on that of the shadow package (shadow-960129). # # the syntax of the lines is as follows: # #       services;ttys;users;times # # white space is ignored and lines maybe extended with '\n' (escaped # newlines). As should be clear from reading these comments, # text following a '#' is ignored to the end of the line. # # the combination of individual users/terminals etc is a logic list # namely individual tokens that are optionally prefixed with '!' (logical # not) and separated with '&' (logical and) and '' (logical or). # # services #       is a logic list of PAM service names that the rule applies to.# # ttys #       is a logic list of terminal names that this rule applies to. # # users #       is a logic list of users to whom this rule applies. # # NB. For these items the simple wildcard '*' may be used only once. # # times #       the format here is a logic list of day/time-range #       entries the days are specified by a sequence of two character #       entries, MoTuSa for example is Monday Tuesday and Saturday. Note #       that repeated days are unset MoMo = no day, and MoWk = all weekdays #       bar Monday. The two character combinations accepted are # #            Mo Tu We Th Fr Sa Su Wk Wd Al # #       the last two being week-end days and all 7 days of the week #       respectively. As a final example, AlFr means all days except Friday. # #       each day/time-range can be prefixed with a '!' to indicate "anything #       but" # #       The time-range part is two 24-hour times HHMM separated by a hyphen #       indicating the start and finish time (if the finish time is smaller #       than the start time it is deemed to apply on the following day). # # for a rule to be active, ALL of service+ttys+users must be satisfied # by the applying process. # # # Here is a simple example: running blank on tty* (any ttyXXX device), # the users 'you' and 'me' are denied service all of the time # # blank;tty* & !ttyp*;youme;!Al0000-2400 # Another silly example, user 'root' is denied xsh access # from pseudo terminals at the weekend and on mondays. # xsh;ttyp*;root;!WdMo0000-2400 # # End of example file. # 

 ############## # Section 1: For all system (servers and workstations) ############## # Log all info or higher messages, except facilities that use their own log *.info;authpriv,auth,mail,cron,kern,local7.none             /var/log/messages # authpriv is intended for messages related to authorizations # (e.g. failed login attempts). auth is deprecated, but included # in case some older programs still use it. authpriv,auth.*                                             /var/log/secure # Send mail messages to a separate file. mail.*                                                      /var/log/maillog # Send crond and atd messages to a separate file. cron.*                                                      /var/log/cron # Send kernel messages to a separate file. Note that this will # include messages generated by iptables about blocked network traffic. kern.*                                                      /var/log/kernel # Send boot messages to a separate file local7.*                                                    /var/log/boot.log # Send emergency messages of any type to all logged in users *.emerg                                                            * ############## # If you have a remote logging host, uncomment the lines corresponding to # the types of messages you want to forward to it. Replace the string # loghost with the IP address of your central logging server. ############## #kern.*                    @loghost #authpriv,auth.*           @loghost #mail.*                    @loghost ############## # Section 2: For servers only ############## # If this is an FTP server, uncomment the next line and add ftp to # the comma-separated list of facilities sent to the messages file. # ftp.*                                                  /var/log/ftp # If this is a NEWS server, uncomment the next line and add news to # the comma-separated list of facilities sent to the messages file. # news.*                                                 /var/log/news # If this is a print server, uncomment the next line and add lpr to # the comma-separated list of facilities sent to the messages file. # lpr.*                                                  /var/log/spooler