Thursday, 30 January 2014

Translating user security for PCI compliance into configs

As part of our becoming-PCI-compliant project, there are a list of requirements about user security that needed translating from legal-speak into practical actions and ways to implement these actions for our Linux servers. We're using Debian, your mileage may vary.

"The last 4 passwords must be different"

This is controlled by PAM using the (or module, which ships as default in Debian. In the config file
the line containing "" needs to include "remember-4", eg
password requisite obscure use_authtok try_first_pass sha512 remember=4

"Passwords must contain more than 7 characters, and must be a mixture of upper and lowercase letters, and numbers"

Passwords can be tested with the PAM module
On debian/ubuntu, this can be installed with
# apt-get install libpam-cracklib
and this will generate an entry in the config file found at /etc/pam.d/common-password along the lines of
password requisite retry=3 minlen=11 lcredit=1 ucredit=1 dcredit=1 ocredit=1
What we're interested in here is primarily minlen - but it's not exactly the minumum length of the password as you might expect. Rather, it's a total of the number of characters in the password, plus scores from lcredit, ucredit, dcredit and ocredit, where the parameters mean
  • lcredit
    • maximum credit allowed from required lower-case characters
  • ucredit
    • number of required upper-case characters
  • dcredit
    • number of required digits
  • ocredit
    • number of required other characters (non-alphanumeric)
So, if we have the requirement of 8 or more characters including numbers, and upper and lowercase letters, then we can set lcredit, ucredit, and dcredit all to 1, and require minlen = (8+1+1+1) = 11 to ensure this policy is enforced.

"Passwords must be changed every 45 days"

Aha, an easy one. In /etc/login.defs , set

"Accounts are made inactive 90 days after last login"

Also straightforwards. In /etc/default/useradd , set

 "Sessions timeout after 15 mins inactivity"

Within /etc/bash.bashrc , set
export TMOUT=900

"Account locks out for 30 mins after 6 failed login attempts"

For this one, we need to install fail2ban (apt-get install fail2ban), and then create a file at /etc/fail2ban/jail.local which contains the following:
bantime = 1800
maxretry =6
Remember to restart fail2ban after you've made the config change.


Saturday, 11 January 2014

On defensiveness

We've all been there: you spend hours thinking about the best way to solve a problem, days or weeks setting up the basics and getting something functional working, and then at the moment you demo the prototype to your peers they point out a fatal flaw that you'd somehow overlooked. You're naturally disappointed, having invested time and effort in your project, but you also find yourself angrily fighting your corner, entrenching yourself and not listening. A few hours or days later you have enough clearance from the exchange to look at it objectively and concede that they might have a point. So why did you get so defensive?

Defensiveness is a reaction to threat. If you're out for a drive in your car and someone else is acting like a bit of a lunatic, accelerating hard and beeping their horn, you're likely to perceive that as a threat, and will probably modify your own driving behaviour to try and stay safe. But when your colleague criticises your idea, you have a similarly defensive reaction because you perceive the criticism as a threat to your self-image.

Self-image - ego, if you like - is the way we see ourselves, and has a huge influence on our behaviour. Do we think we're smart, accomplished at our job, funny, a good friend, an accomplished musician or a genius programmer? Self-image is so important to us that we will - consciously or unconsciously - seek to protect it even at enormous cost. If you're having a bad day you might be more defensive than usual because adding to your stack of annoyances seems unbearable.

People working in technical areas like computing and science have a natural tendency to like hard facts and best practice. Sometimes there IS a "right way" of doing something, and that makes us feel secure and comfortable. But if there's a grey area we have to start evaluating the pros and cons of each idea, and maybe we'll have to choose a working but imperfect solution. And if the issue starts to incorporate the messy world of real people, then we start having to face the possibility that rather than an either/or diagnosis, and/both might be more appropriate.

And/both means that sometimes conflicting realities can exist and be equally valid. You think that comedian is hilarious, but your friend thinks she's rubbish. You think the cashier was rude to you, but he thinks he was polite and efficient. And when self-image is involved it's even harder to be objective. You think your idea is amazeballs but your colleague points out the problems with it. Now you have to decide what to do with their opinion: do you keep theirs and throw out your idea? Or dismiss theirs and get defensive? Or, do you try and hold both in your mind together, which is uncomfortable at the best of times and nigh on impossible if you feel threatened.

Reacting defensively might mean you come across uncooperative or arrogant, which tends not to go down terribly well with people. But more than that, defensive behaviour means a missed opportunity. Paraphrasing from [1],
a person may disidentify with or downplay the personal importance of domains in which they are failing to sustain their sense of self-worth, but in doing so they preclude the opportunity for improvement. 
"Work your weaknesses" is easier said than done, but before you can work them you need to acknowledge them. Getting defensive about an issue might not be something you can do anything about in the heat of the moment, but it does provide you with a huge flashing arrow pointing towards a self-belief you might not even realise you have. And then maybe next time, or the time after that, when your colleague shoots a hole in of utter genius you might be able to agree use their point to make your creation even better, and then go about your day.

[1] The psychology of self-defense, Sherman and Cohen