AIX and Red Hat /etc/security files

In AIX; /etc/security/user and /etc/security/lastlog are files I use heavily to set expiration and clear failed login attempts. What are the equivalent files in Red Hat?
Who is Participating?
Fadi SODAH (aka madunix)Connect With a Mentor Chief Information Security Officer, CISA, CISSP, CFR, ICATE, MCSE, CCNA, CCNP and CCIPCommented:
As per AIX manual
File '/etc/security/user'  contains extended user attribute and file '/etc/security/lastlog' is an ASCII file that contains stanzas with the last login attributes for users.

In AIX you describe and modify user and group management in the following related files, profiles, and set or change the shell environment (/etc/security/user, /etc/security/limits, /etc/security/passwd, /etc/profile/, .profile)

A login process do the validation process
a.      If login fails, a record is added to /etc/security/failedlogin
b.      If login is successful:
      $HOME/.profile (or .dtprofile for CDE)

How to reset the failed login count:
# chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s pons

It covers number of parameters, such as account_locked , admin, expires,  histexpire, histsize, login, maxage, minage, rlogin, su  etc.  which are related to the user password ageing and account validity, and priviledges.

The RHEL manages these parameter differently. It keeps different files to achieve the purpose.  

1. account_locked ( Lock out the account; the user is unable to log in if set to True.)
To lock  the account you can use the command " chage ".
The chage command with '-l' option would yield number of parameter about users, such as:

# chage -l
Usage: chage [options] user

  -d, --lastday LAST_DAY      set last password change to LAST_DAY
  -E, --expiredate EXPIRE_DATE      set account expiration date to EXPIRE_DATE
  -h, --help                  display this help message and exit
  -I, --inactive INACTIVE      set password inactive after expiration
                        to INACTIVE
  -l, --list                  show account aging information
  -m, --mindays MIN_DAYS      set minimum number of days before password
                        change to MIN_DAYS
  -M, --maxdays MAX_DAYS      set maximim number of days before password
                        change to MAX_DAYS
  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS

2. admin(if True, the user has administrative rights.)
For get this information, you need to check its 'uid, gid, sudo abilities'  uid and gid is given by command 'id <username> '   and 'sudo -l' will give sudo ability.

3. histexpire (      Number of weeks the user can't reuse a password.)
This particular information can be checked and configured using password policy.  To se the password policy kindly refer following article:

4. rlogin : this is an open end question, remote access  could be ssh, could rsh or telnet.  By default rsh and telnet is enabled for anyone. To check ssh ability you need to check /etc/ssh/sshd_config file settings. The parameter of interest are "AllowUsers  or AllowGroups" option. By default everyone is allowed.

5. su
By default everyone is allowed to use the 'su' command.  You can use the pam to controll this.

In Red Hat Enterprise Linux command '#last' obtain the information of last user logged in.

How to set password policy in Red Hat Enterprise Linux 6?

Read more:
Password length and life settings are in /etc/login.defs. Password tries before lockout, complexity requirements, and history can be set in /etc/pam.d/system-auth. You can include pam_tally2 to set the number of failed attempts before lockout, pam_cracklib or pam_passwdqc to require complex passwords, or add "remember=n" to prevent users from reusing passwords.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.