The following steps should be taken to increase the security of user accounts on the system.
By default, Red Hat 7.3 requires users to change their password every 99999 days (i.e. never) and sets no minimum limit on how long a password must be kept before changing it. Issue the following command to set limits for all existing users whose ID is greater than 500, the default range for normal user accounts.
[root@localhost]# awk -F: ' >= 500 { system ("chage -M 180 -m 2 " ) }' /etc/passwd
Change the following lines in the /etc/login.defs so newly created user accounts will inherit these values.
PASS_MAX_DAYS 99999 -> PASS_MAX_DAYS 180 PASS_MIN_DAYS 0 -> PASS_MIN_DAYS 2
Several unneeded user accounts are added to the system at the time of installation. For better system security, the number of users in the / etc/passwd file should be as small as required for the system to fulfill its mission. This will make it easier to detect any unauthorized additions of users. Before making any edits, copy the files to backup versions:
[root@localhost]#for file in /etc/{passwd,shadow,group} ; do /bin/cp -p $file $file.orig ; done
Remove accounts for unnecessary users using the following command
[root@localhost]# for user in uucp operator games gopher ; do /usr/sbin/userdel $user ; done
Remove unnecessary groups using the following command
[root@localhost]# for group in dip gopher games uucp; do /usr/sbin/groupdel $group ; done
Whenever users or groups are deleted, it is prudent to perform the following verification steps. First, to verify that no mistakes exist that will prevent users from logging in, run the following commands:
[root@localhost]# /usr/sbin/pwck [root@localhost]# /usr/sbin/grpck
conf.all.send_redirect The pwck and grpck command verify, respectively, that the /etc/passwd and /etc/group files are properly formatted and have valid data in each field. Second, to verify that files previously owned by the deleted users or groups are assigned to the root user, issue the following commands:
[root@localhost]# /usr/sbin/find / -nouser --exec /bin/chown root {} \; [root@localhost]# /usr/sbin/find / -nogroup --exec /bin/chgrp root {} \;
Some user accounts are only used by a system service or daemon and never require interactive login. For increased security, the ability to interactively log in should be disabled for these accounts. Issue the following command, which assigns an invalid shell to the accounts (i.e., / del/null), to make sure they are locked.
[root@localhost]# for user in bin daemon adm ftp sync lp mail news nobody ; do /usr/sbin/usermodL - s /dev/null $user ; done
Accounts with empty passwords pose a grave security risk to the system because all that is needed to login to such an account is knowledge of the login name . These accounts can be easily detected by checking to see if the second field of the /etc/shadow file is blank. Issue the following command:
[root@localhost]# awk -F: '( == "") { print }' /etc/shadow
If no login names are printed, all is well. If any login names are printed, add a password for the user or lock/delete the account.
The umask for a user determines permissions on any new files created by the user. As installed, the umask for normal user accounts (defined as ones where the user name is the same as the group name) with user id greater than 99 is 002 (i.e. rw-rw-r ” for files and rwxrwxr-x for directories). For other users, including the root user, it is 022 (i.e. rw-r ”r ” for files and rwxr-xr-x for directories).
For tighter security, the default umask for the root user should not result in creation of group and world readable files and directories. The default umask for normal users should not result in the creation of world readable files. Edit the lines in the /etc/bashrc and /etc/csh. cshrc files:
Change: umask 022 -> umask 077 umask 002 -> umask 007
Caveat: Some rpm packages assume that the default umask will be 022 for the root user. Changing it to 077, as recommended here, will occasionally result in warning messages during installation or upgrade of these packages.
The Pluggable Authentication Module (PAM) for Linux package enables enforcement of many different types of control over user accounts. Configuration files are located in the /etc/security directory. The configuration file regulating system resource usage is limits.conf and it is discussed in the next section. The configuration file regulating from where authorized user logins may originate is access.conf, and the one regulating at what time of day authorized logins may occur is time.conf. Default versions of the aforementioned three files are included in Appendix B. Each one contains comments that include implementation instructions with usage examples.
To prevent individual users from consuming too many system resources, edit the /etc/security/limits.conf file so that core files will not be created (see note below), individual file sizes are limited to 100 MB, and a user can only have 150 concurrent processes running.
Add the lines:
* hard core 0 * hard fsize 102400 * hard nproc 150
Note | For workstations used for software development, the information contained in core files is very valuable in tracking down bugs in code. Either do not include the line or change the word "hard" to "soft" so developers can manually raise the limit when needed. |