5.11 Checking User Accounts and Privileges

Check the system for unlocked user accounts on a regular basis, for example using a command such as the following:

# for u in `cat /etc/passwd | cut -d: -f1 | sort`; do passwd -S $u; done
abrt LK 2012-06-28 0 99999 7 -1 (Password locked.)
adm LK 2011-10-13 0 99999 7 -1 (Alternate authentication scheme in use.)
apache LK 2012-06-28 0 99999 7 -1 (Password locked.)
avahi LK 2012-06-28 0 99999 7 -1 (Password locked.)
avahi-autoipd LK 2012-06-28 0 99999 7 -1 (Password locked.)
bin LK 2011-10-13 0 99999 7 -1 (Alternate authentication scheme in use.)
...

In the output from this command, the second field shows if a user account is locked (LK), does not have a password (NP), or has a valid password (PS). The third field shows the date on which the user last changed their password. The remaining fields show the minimum age, maximum age, warning period, and inactivity period for the password and additional information about the password's status. The unit of time is days.

Use the passwd command to set passwords on any accounts that are not protected.

Use passwd -l to lock unused accounts. Alternatively, use userdel to remove the accounts entirely.

For more information, see the passwd(1) and userdel(8) manual pages.

To specify how users' passwords are aged, edit the following settings in the /etc/login.defs file:

Setting

Description

PASS_MAX_DAYS

Maximum number of days for which a password can be used before it must be changed. The default value is 99,999 days.

PASS_MIN_DAYS

Minimum number of days that is allowed between password changes. The default value is 0 days.

PASS_WARN_AGE

Number of days warning that is given before a password expires. The default value is 7 days.

For more information, see the login.defs(5) manual page.

To change how long a user's account can be inactive before it is locked, use the usermod command. For example, to set the inactivity period to 30 days:

# usermod -f 30 username

To change the default inactivity period for new user accounts, use the useradd command:

# useradd -D -f 30

A value of -1 specifies that user accounts are not locked due to inactivity.

For more information, see the useradd(8) and usermod(8) manual pages.

Verify that no user accounts other than root have a user ID of 0.

# awk -F":" '$3 == 0 { print $1 }' /etc/passwd
root

If you install software that creates a default user account and password, change the vendor's default password immediately. Centralized user authentication using an LDAP implementation such as OpenLDAP can help to simplify user authentication and management tasks, and also reduces the risk arising from unused accounts or accounts without a password.

By default, an Oracle Linux system is configured so that you cannot log in directly as root. You must log in as a named user before using either su or sudo to perform tasks as root. This configuration allows system accounting to trace the original login name of any user who performs a privileged administrative action. If you want to grant certain users authority to be able to perform specific administrative tasks via sudo, use the visudo command to modify the /etc/sudoers file. For example, the following entry grants the user erin the same privileges as root when using sudo, but defines a limited set of privileges to frank so that he can run commands such as chkconfig, service, rpm, and yum:

erin           ALL=(ALL)       ALL
frank          ALL= SERVICES, SOFTWARE

Oracle Linux supports the pluggable authentication modules (PAM) feature, which makes it easier to enforce strong user authentication and password policies, including rules for password complexity, length, age, expiration and the reuse of previous passwords. You can configure PAM to block user access after too many failed login attempts, after normal working hours, or if too many concurrent sessions are opened.

PAM is highly customizable by its use of different modules with customisable parameters. For example, the default password integrity checking module pam_cracklib.so tests password strength. The PAM configuration file (/etc/pam.d/system-auth) contains the following default entries for testing a password's strength:

password  requisite   pam_cracklib.so try_first_pass retry=3 type=
password  sufficient  pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password  required    pam_deny.so

The line for pam_cracklib.so defines that a user gets three attempts to choose a good password. From the module's default settings, the password length must a minimum of six characters, of which three characters must be different from the previous password.

The line for pam_unix.so specifies that the module is not to perform password checking (pam_cracklib will already have performed such checks), to use SHA-512 password hashing, to allow access if the existing password is null, and to use the /etc/shadow file.

You can modify the control flags and module parameters to change the checking that is performed when a user changes his or her password, for example:

password  required  pam_cracklib.so retry=3 minlen=8 difok=5 minclass=-1
password  required  pam_unix.so use_authtok sha512 shadow remember=5
password  required  pam_deny.so

The line for pam_cracklib.so defines that a user gets three attempts to choose a good password with a minimum of eight characters, of which five characters must be different from the previous password, and which must contain at least one upper case letter, one lower case letter, one numeric digit, and one non-alphanumeric character.

The line for pam_unix.so specifies that the module is not to perform password checking, to use SHA-512 password hashing, to use the /etc/shadow file, and to save information about the previous five passwords for each user in the /etc/security/opasswd file. As nullok is not specified, a user cannot change his or her password if the existing password is null.

The omission of the try_first_pass keyword means that the user is always asked for their existing password, even if he or she entered it for the same module or for a previous module in the stack.

Alternative modules are available for password checking, such as pam_passwdqc.so.

For more information, see Section 3.5, “Configuring and Using Pluggable Authentication Modules” and the pam_cracklib(8), pam_deny(8), pam_passwdqc(8), and pam_unix(8) manual pages.