2.4 USER ACCOUNT SECURITY


2.4 USER ACCOUNT SECURITY

The following steps should be taken to increase the security of user accounts on the system.

2.4.1 Password Aging

By default, Red Hat 7.3 requires users to change their password every 99999 days (i.e. never) and sets no minimum limit on how long a password must be kept before changing it. Issue the following command to set limits for all existing users whose ID is greater than 500, the default range for normal user accounts.

 [root@localhost]# awk -F: ' >= 500 { system ("chage -M 180 -m 2 " ) }' /etc/passwd 

Change the following lines in the /etc/login.defs so newly created user accounts will inherit these values.

 PASS_MAX_DAYS  99999 -> PASS_MAX_DAYS    180     PASS_MIN_DAYS  0      -> PASS_MIN_DAYS   2 

2.4.2 Purging Unnecessary Accounts

Several unneeded user accounts are added to the system at the time of installation. For better system security, the number of users in the / etc/passwd file should be as small as required for the system to fulfill its mission. This will make it easier to detect any unauthorized additions of users. Before making any edits, copy the files to backup versions:

 [root@localhost]#for file in /etc/{passwd,shadow,group} ; do /bin/cp -p $file $file.orig ; done 

Remove accounts for unnecessary users using the following command

 [root@localhost]# for user in uucp operator games gopher ; do /usr/sbin/userdel $user ; done 

Remove unnecessary groups using the following command

 [root@localhost]# for group in dip gopher games uucp; do /usr/sbin/groupdel $group ; done 

Whenever users or groups are deleted, it is prudent to perform the following verification steps. First, to verify that no mistakes exist that will prevent users from logging in, run the following commands:

 [root@localhost]# /usr/sbin/pwck     [root@localhost]# /usr/sbin/grpck 

conf.all.send_redirect The pwck and grpck command verify, respectively, that the /etc/passwd and /etc/group files are properly formatted and have valid data in each field. Second, to verify that files previously owned by the deleted users or groups are assigned to the root user, issue the following commands:

 [root@localhost]# /usr/sbin/find / -nouser --exec /bin/chown root {} \;     [root@localhost]# /usr/sbin/find / -nogroup --exec /bin/chgrp root {} \; 

2.4.3 Locking System Accounts

Some user accounts are only used by a system service or daemon and never require interactive login. For increased security, the ability to interactively log in should be disabled for these accounts. Issue the following command, which assigns an invalid shell to the accounts (i.e., / del/null), to make sure they are locked.

 [root@localhost]# for user in bin daemon adm ftp sync lp mail news nobody ; do /usr/sbin/usermodL - s /dev/null $user ; done 

2.4.4 Verify No Accounts Have Empty Passwords

Accounts with empty passwords pose a grave security risk to the system because all that is needed to login to such an account is knowledge of the login name . These accounts can be easily detected by checking to see if the second field of the /etc/shadow file is blank. Issue the following command:

 [root@localhost]# awk -F: '( == "") { print  }' /etc/shadow 

If no login names are printed, all is well. If any login names are printed, add a password for the user or lock/delete the account.

2.4.5 Tighten default umask

The umask for a user determines permissions on any new files created by the user. As installed, the umask for normal user accounts (defined as ones where the user name is the same as the group name) with user id greater than 99 is 002 (i.e. rw-rw-r ” for files and rwxrwxr-x for directories). For other users, including the root user, it is 022 (i.e. rw-r ”r ” for files and rwxr-xr-x for directories).

For tighter security, the default umask for the root user should not result in creation of group and world readable files and directories. The default umask for normal users should not result in the creation of world readable files. Edit the lines in the /etc/bashrc and /etc/csh. cshrc files:

 Change:   umask 022    ->    umask 077               umask 002    ->    umask 007 

Caveat: Some rpm packages assume that the default umask will be 022 for the root user. Changing it to 077, as recommended here, will occasionally result in warning messages during installation or upgrade of these packages.

2.4.6 Miscellaneous Account Limits

The Pluggable Authentication Module (PAM) for Linux package enables enforcement of many different types of control over user accounts. Configuration files are located in the /etc/security directory. The configuration file regulating system resource usage is limits.conf and it is discussed in the next section. The configuration file regulating from where authorized user logins may originate is access.conf, and the one regulating at what time of day authorized logins may occur is time.conf. Default versions of the aforementioned three files are included in Appendix B. Each one contains comments that include implementation instructions with usage examples.

2.4.6.1 System Resources Usage (from Bastille)

To prevent individual users from consuming too many system resources, edit the /etc/security/limits.conf file so that core files will not be created (see note below), individual file sizes are limited to 100 MB, and a user can only have 150 concurrent processes running.

Add the lines:

 * hard    core   0     * hard    fsize  102400     * hard    nproc  150 
Note  

For workstations used for software development, the information contained in core files is very valuable in tracking down bugs in code. Either do not include the line or change the word "hard" to "soft" so developers can manually raise the limit when needed.




Securing Linux. A Survival Guide for Linux Security
Securing Linux: A Survival Guide for Linux Security (Version 2.0)
ISBN: 0974372773
EAN: 2147483647
Year: 2002
Pages: 39

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net