The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
Check the system for unlocked user accounts on a regular basis, for example using a command such as the following:
# for u in `cat /etc/passwd | cut -d: -f1 | sort`; do passwd -S $u; done
abrt LK 2012-06-28 0 99999 7 -1 (Password locked.)
adm LK 2011-10-13 0 99999 7 -1 (Alternate authentication scheme in use.)
apache LK 2012-06-28 0 99999 7 -1 (Password locked.)
avahi LK 2012-06-28 0 99999 7 -1 (Password locked.)
avahi-autoipd LK 2012-06-28 0 99999 7 -1 (Password locked.)
bin LK 2011-10-13 0 99999 7 -1 (Alternate authentication scheme in use.)
...
In the output from this command, the second field shows if a
user account is locked (LK
), does not have a
password (NP
), or has a valid password
(PS
). The third field shows the date on which
the user last changed their password. The remaining fields show
the minimum age, maximum age, warning period, and inactivity
period for the password and additional information about the
password's status. The unit of time is days.
Use the passwd command to set passwords on any accounts that are not protected.
Use passwd -l to lock unused accounts. Alternatively, use userdel to remove the accounts entirely.
For more information, see the passwd(1)
and
userdel(8)
manual pages.
To specify how users' passwords are aged, edit the following
settings in the /etc/login.defs
file:
Setting | Description |
---|---|
| Maximum number of days for which a password can be used before it must be changed. The default value is 99,999 days. |
| Minimum number of days that is allowed between password changes. The default value is 0 days. |
| Number of days warning that is given before a password expires. The default value is 7 days. |
For more information, see the login.defs(5)
manual page.
To change how long a user's account can be inactive before it is locked, use the usermod command. For example, to set the inactivity period to 30 days:
# usermod -f 30 username
To change the default inactivity period for new user accounts, use the useradd command:
# useradd -D -f 30
A value of -1 specifies that user accounts are not locked due to inactivity.
For more information, see the useradd(8)
and
usermod(8)
manual pages.
Verify that no user accounts other than root
have a user ID of 0.
# awk -F":" '$3 == 0 { print $1 }' /etc/passwd
root
If you install software that creates a default user account and password, change the vendor's default password immediately. Centralized user authentication using an LDAP implementation such as OpenLDAP can help to simplify user authentication and management tasks, and also reduces the risk arising from unused accounts or accounts without a password.
By default, an Oracle Linux system is configured so that you
cannot log in directly as root
.
You must log in as a named user before using either
su or sudo to perform
tasks as root
. This configuration allows
system accounting to trace the original login name of any user
who performs a privileged administrative action. If you want to
grant certain users authority to be able to perform specific
administrative tasks via sudo, use the
visudo command to modify the
/etc/sudoers
file. For example, the following
entry grants the user erin
the same
privileges as root
when using
sudo, but defines a limited set of privileges
to frank
so that he can run commands such as
chkconfig, service,
rpm, and yum:
erin ALL=(ALL) ALL frank ALL= SERVICES, SOFTWARE