Centrally manage password complexity & login defs for CentOS 7
Hello Everyone,
I am currently looking for a way to manage password complexity & logins defs across 50+ CentOS 7 servers. Our environment is mostly Windows based and none of us are Linux experts, but know enough to be dangerous. I have an audit requirement that is forcing me to change my password complexity and login defs on these servers to match what we have in GPO for our Windows servers.
I could do this manually, but I would rather find a way to manage these CentOS machines in some centralized way to make it consistent and rule out possible errors when doing it 50+ times. Are there any platforms that would allow me to do that? I have been able to connect a test CentOS server to my AD environment using realmd, but I believe that only allows me to connect using domain creds. I don't believe that enforces anything at the CentOS config level. So, before I start making changes to the two items above, one by one, I wanted to see if anyone knew of a tool or script I could use to make these changes (and possibly audit them) from a central location.
I have done some research, but since I don't know enough about these tools or Linux in general I wanted to get some outside thoughts/advice. Any help would be greatly appreciated!
I am currently looking for a way to manage password complexity & logins defs across 50+ CentOS 7 servers. Our environment is mostly Windows based and none of us are Linux experts, but know enough to be dangerous. I have an audit requirement that is forcing me to change my password complexity and login defs on these servers to match what we have in GPO for our Windows servers.
I could do this manually, but I would rather find a way to manage these CentOS machines in some centralized way to make it consistent and rule out possible errors when doing it 50+ times. Are there any platforms that would allow me to do that? I have been able to connect a test CentOS server to my AD environment using realmd, but I believe that only allows me to connect using domain creds. I don't believe that enforces anything at the CentOS config level. So, before I start making changes to the two items above, one by one, I wanted to see if anyone knew of a tool or script I could use to make these changes (and possibly audit them) from a central location.
I have done some research, but since I don't know enough about these tools or Linux in general I wanted to get some outside thoughts/advice. Any help would be greatly appreciated!
ASKER
Thank you for the reply. We are currently working to migrate these system over to use Active Directory users, but at the moment we are still using locally generated users because of the systems were setup years ago. I am not worried about the users at this point. We have a project in place to resolve that problem and I am able to connect those CentOS systems using realmd and it works perfectly.
The problem I have is that I have to show that the local CentOS server has a password policy that matches our AD password policy. I can make this change 50+ times across each server, but I figured there might be a better way to do this. My question is how do I centrally manage that for all my CentOS servers so I can be consistent and not have to touch all the servers to make changes if/when they happen or for initial configuration.
So the question is less about the users and more about the specific configuration on each CentOS box in an automated and centralized fashion.
The problem I have is that I have to show that the local CentOS server has a password policy that matches our AD password policy. I can make this change 50+ times across each server, but I figured there might be a better way to do this. My question is how do I centrally manage that for all my CentOS servers so I can be consistent and not have to touch all the servers to make changes if/when they happen or for initial configuration.
So the question is less about the users and more about the specific configuration on each CentOS box in an automated and centralized fashion.
Do you currently use scripts, or central management tool like puppet?
Re password complexity option
https://kifarunix.com/enforce-password-complexity-policy-on-centos-7-rhel-derivatives/
Often,the default has done complexity.
Look at passwd man pages
useradd -D
To see your current default user creation rules.
Re password complexity option
https://kifarunix.com/enforce-password-complexity-policy-on-centos-7-rhel-derivatives/
Often,the default has done complexity.
Look at passwd man pages
useradd -D
To see your current default user creation rules.
ASKER
We don't use anything currently, that is what I am trying to wrap my head around. I think I will move forward with some research into Puppet. This is the 5th time that product has come up in my search for this answer. Appreciate the replies!
/etc/pam
If not mistaken, the out of the box, it ha sone password restrictio.
What is your timeframe to integrating these centos boxes into the AD?
If not mistaken, the out of the box, it ha sone password restrictio.
What is your timeframe to integrating these centos boxes into the AD?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would still suggest user management be subordinated to AD
You would need to add the SErvices got UNIX, it might change te name depending in your server version.
The distinction whether the AD schema include user uid, gid within AD record versus relying on winbind and similar.
Point of deals with usera login on serverA, serverB will gave the same uid or not
In AD schema change those will be the same by nature.
With other tools that nap, the uid/gid migthere differ, not be consistent.
You would need to add the SErvices got UNIX, it might change te name depending in your server version.
The distinction whether the AD schema include user uid, gid within AD record versus relying on winbind and similar.
Point of deals with usera login on serverA, serverB will gave the same uid or not
In AD schema change those will be the same by nature.
With other tools that nap, the uid/gid migthere differ, not be consistent.
No local, non ad users on the centos
Will insure password complexity.
Centrally managing credentials is how you can achieve...