/etc/security/access.conf
# Login access control table. # # When someone logs in, the table is scanned for the first entry that # matches the (user, host) combination, or, in case of non-networked # logins, the first entry that matches the (user, tty) combination. The # permissions field of that table entry determines whether the login will # be accepted or refused. # # Format of the login access control table is three fields separated by a # ":" character: # # permission : users : origins # # The first field should be a "+" (access granted) or "-" (access denied) # character. # # The second field should be a list of one or more login names, group # names, or ALL (always matches). A pattern of the form user@host is # matched when the login name matches the "user" part, and when the # "host" part matches the local machine name. # # The third field should be a list of one or more tty names (for # non-networked logins), host names, domain names (begin with "."), host # addresses, internet network numbers (end with "."), ALL (always # matches) or LOCAL (matches any string that does not contain a "." # character). # # If you run NIS you can use @netgroupname in host or user patterns; this # even works for @usergroup@@hostgroup patterns. Weird. # # The EXCEPT operator makes it possible to write very compact rules. # # The group file is searched only when a name does not match that of the # logged-in user. Both the user's primary group is matched, as well as # groups in which users are explicitly listed. # ############################################################################## # # Disallow console logins to all but a few accounts. # #-:ALL EXCEPT wheel shutdown sync:LOCAL # # Disallow non-local logins to privileged accounts (group wheel). # #-:wheel:ALL EXCEPT LOCAL .win.tue.nl # # Some accounts are not allowed to login from anywhere: # #-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL # # All other accounts are allowed to login from anywhere. #
/etc/security/limits.conf
# /etc/security/limits.conf # #Each line describes a limit for a user in the form: # #<domain> <type> <item> <value> # #Where: #<domain> can be: # - a user name # - a group name, with @group syntax # - the wildcard *, for default entry # #<type> can have the two values: # - "soft" for enforcing the soft limits # - "hard" for enforcing hard limits # #<item> can be one of the following: # - core - limits the core file size (KB) # - data - max data size (KB) # - fsize - maximum filesize (KB) # - memlock - max locked-in-memory address space (KB) # - nofile - max number of open files # - rss - max resident set size (KB) # - stack - max stack size (KB) # - cpu - max CPU time (MIN) # - nproc - max number of processes # - as - address space limit # - maxlogins - max number of logins for this user # - priority - the priority to run user process with # - locks - max number of file locks the user can hold # #<domain> <type> <item> <value> # #* soft core 0 #* hard rss 10000 #@student hard nproc 20 #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 #@student - maxlogins 4 # End of file
/etc/security/time.conf
# this is an example configuration file for the pam_time module. Its syntax # was initially based heavily on that of the shadow package (shadow-960129). # # the syntax of the lines is as follows: # # services;ttys;users;times # # white space is ignored and lines maybe extended with '\n' (escaped # newlines). As should be clear from reading these comments, # text following a '#' is ignored to the end of the line. # # the combination of individual users/terminals etc is a logic list # namely individual tokens that are optionally prefixed with '!' (logical # not) and separated with '&' (logical and) and '' (logical or). # # services # is a logic list of PAM service names that the rule applies to.# # ttys # is a logic list of terminal names that this rule applies to. # # users # is a logic list of users to whom this rule applies. # # NB. For these items the simple wildcard '*' may be used only once. # # times # the format here is a logic list of day/time-range # entries the days are specified by a sequence of two character # entries, MoTuSa for example is Monday Tuesday and Saturday. Note # that repeated days are unset MoMo = no day, and MoWk = all weekdays # bar Monday. The two character combinations accepted are # # Mo Tu We Th Fr Sa Su Wk Wd Al # # the last two being week-end days and all 7 days of the week # respectively. As a final example, AlFr means all days except Friday. # # each day/time-range can be prefixed with a '!' to indicate "anything # but" # # The time-range part is two 24-hour times HHMM separated by a hyphen # indicating the start and finish time (if the finish time is smaller # than the start time it is deemed to apply on the following day). # # for a rule to be active, ALL of service+ttys+users must be satisfied # by the applying process. # # # Here is a simple example: running blank on tty* (any ttyXXX device), # the users 'you' and 'me' are denied service all of the time # # blank;tty* & !ttyp*;youme;!Al0000-2400 # Another silly example, user 'root' is denied xsh access # from pseudo terminals at the weekend and on mondays. # xsh;ttyp*;root;!WdMo0000-2400 # # End of example file. #
/etc/syslog.conf
############## # Section 1: For all system (servers and workstations) ############## # Log all info or higher messages, except facilities that use their own log *.info;authpriv,auth,mail,cron,kern,local7.none /var/log/messages # authpriv is intended for messages related to authorizations # (e.g. failed login attempts). auth is deprecated, but included # in case some older programs still use it. authpriv,auth.* /var/log/secure # Send mail messages to a separate file. mail.* /var/log/maillog # Send crond and atd messages to a separate file. cron.* /var/log/cron # Send kernel messages to a separate file. Note that this will # include messages generated by iptables about blocked network traffic. kern.* /var/log/kernel # Send boot messages to a separate file local7.* /var/log/boot.log # Send emergency messages of any type to all logged in users *.emerg * ############## # If you have a remote logging host, uncomment the lines corresponding to # the types of messages you want to forward to it. Replace the string # loghost with the IP address of your central logging server. ############## #kern.* @loghost #authpriv,auth.* @loghost #mail.* @loghost ############## # Section 2: For servers only ############## # If this is an FTP server, uncomment the next line and add ftp to # the comma-separated list of facilities sent to the messages file. # ftp.* /var/log/ftp # If this is a NEWS server, uncomment the next line and add news to # the comma-separated list of facilities sent to the messages file. # news.* /var/log/news # If this is a print server, uncomment the next line and add lpr to # the comma-separated list of facilities sent to the messages file. # lpr.* /var/log/spooler