Translating user security for PCI compliance into configs

by Anna Kennedy — on  ,  ,  , 

As part of our becoming-PCI-compliant project, there are a list of requirements about user security that needed translating from legal-speak into practical actions and ways to implement these actions for our Linux servers. We’re using Debian, your mileage may vary.

“The last 4 passwords must be different”

This is controlled by PAM using the (or module, which ships as default in Debian.

In the config file /etc/pam.d/common-password the line containing “” needs to include “remember-4”, eg:

password requisite obscure use_authtok try_first_pass sha512 remember=4

“Passwords must contain more than 7 characters, and must be a mixture of upper and lowercase letters, and numbers”

Passwords can be tested with the PAM module On debian/ubuntu, this can be installed with

$ apt-get install libpam-cracklib

and this will generate an entry in the config file found at /etc/pam.d/common-password along the lines of

password requisite retry=3 minlen=11 lcredit=1 ucredit=1 dcredit=1 ocredit=1 What we're interested in here is primarily minlen - but it's not exactly the minumum length of the password as you might expect. Rather, it's a total of the number of characters in the password, plus scores from lcredit, ucredit, dcredit and ocredit, where the parameters mean
  • lcredit = maximum credit allowed from required lower-case characters
  • ucredit = number of required upper-case characters
  • dcredit = number of required digits
  • ocredit = number of required other characters (non-alphanumeric)

So, if we have the requirement of 8 or more characters including numbers, and upper and lowercase letters, then we can set lcredit, ucredit, and dcredit all to 1, and require minlen = (8+1+1+1) = 11 to ensure this policy is enforced.

“Passwords must be changed every 45 days”

Aha, an easy one. In /etc/login.defs , set


“Accounts are made inactive 90 days after last login”

Also straightforwards. In /etc/default/useradd , set


“Sessions timeout after 15 mins inactivity”

Within /etc/bash.bashrc, set

export TMOUT=900

“Account locks out for 30 mins after 6 failed login attempts”

For this one, we need to install fail2ban (apt-get install fail2ban), and then create a file at /etc/fail2ban/jail.local which contains the following:

bantime = 1800
maxretry =6
Remember to restart fail2ban after you've made the config change.



Liked this? Share it with