Get the LinuxSecurity news you want faster with RSS
Powered By
Creating New Accounts
Source: Dave Wreski - Posted by Dave Wreski
Planning account creation
You should make sure to provide user accounts with only the minimal requirements for the task they need to do. If you provide your secretary, or another general user, with an account, you might want them to only have access to a word processor or drawing program, but be unable to delete data that is not his or hers.
Several good rules of thumb when allowing other people legitimate access to your Linux machine:
Limit access privileges given to new users.
Be aware when/where they login from, or should be logging in from.
Make sure to remove inactive accounts
The use of the same user-ID on all computers and networks is advisable to ease account maintenance, as well as permit easier analysis of log data (but I'm sure someone will dispute this). However, it's practically essential if using NFS. There are several other protocols that use UIDs for local and remote access as well.
The creation of group user-IDs should be absolutely prohibited. User accounts also provide accountability, and this is not possible with group accounts.
Be sure shadow passwords are enabled. Shadow passwords is a method for storing the actual user's password in a root-owned file that is not readable by normal users, unlike the regular password file. This protects the passwords from being read and cracked using dictionary attacks. Most (if not all) current distributions already use shadow passwords.
Regularly audit user accounts for invalid or unused accounts, expired accounts, etc.
Check for repeated login failures. The files in /var/log are invaluable resource to track potential security problems.
Be sure to enable quotas on machines with many users, to prevent denial of service attacks involving filling disk partitions, or appending exploits to group-writable files.
Disable group accounts, and unused system accounts, such as sys or uucp. These accounts should be locked, and given non-functional shells.
Many local user accounts that are used in security compromises are ones that have not been used in months or years. Since no one is using them they provide the ideal attack vehicle.
Write Comment
Please keep the topic of messages relevant to the subject of the article.
Personal verbal attacks will be deleted.
Please don't use comments to plug your web site.. Such material will be removed.
