Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS3440 Linux Security Unit 3 User Account Management

Published byともなり かせ Modified over 5 years ago

Similar presentations

Presentation on theme: "IS3440 Linux Security Unit 3 User Account Management"— Presentation transcript:

1 IS3440 Linux Security Unit 3 User Account Management

2 Class Agenda 3/30/16 Covers Chapter 4 Learning Objectives Quiz 1
Discussion on Lab Activities. Lab will be perform in class. Break Times as per School Regulations.

3 Learning Objective Explain user account management and the principle of least privilege to protect and secure the system and its data.

4 Key Concepts Policies for user accounts
Boundaries for the user, system, and root accounts Group accounts for managing the security process Pluggable Authentication Modules (PAM) Special user privileges for accessing files, including the executable files

5 EXPLORE: CONCEPTS

6 Defining the User Account Policy
Who needs access and why? How long does a user need access? Where will the user access the computer system from? What are the tasks the user needs to perform?

7 Some Security Startegies
Establishing a user account policy Enforcing password policies and mandatory password change on a Linux system and setting expiration dates for temporary users Granting special privileges by using sudo command

8 Best Practices for Account Management
Create a password policy in /etc/login.defs file. Lock user accounts that will not need access for a long period of time. Set account expiration for temporary accounts. Remove user and service accounts that are no longer being used. Monitor account usage and login attempts.

9 System, Service, and Regular User Accounts
System Account Service Account Regular Account Created when the operating system is installed Created automatically when installing a service using a package management program Created by root or an account with privileged access Users and groups < 100 Users and groups < 500 Users and groups > 500 Login directory typically set to /sbin/nologin or a system command, such as /sbin/shutdown Login directory mostly set to /sbin/nologin but may also be set to a typical login shell, such as /bin/bash Login directory set to /bin/bash

10 Password configuration file
Users were configured in /etc/passwd Groups were configured in /etc/group“ This are readable text file. Shadow password suite developed. "/etc/shadow and /etc/gshadow“ Is encrypted

11 EXPLORE: PROCESSES

12 Establishing a User Account Policy
9/19/2018 Establishing a User Account Policy 1. Open the /etc/login.defs file. 2. Set the Password Change directive. 3. Set the Warn directive. 4. Set the password minimum length. 5. Enable login failure logging. 6. Enable successful login logging. 7. Enable the su command. 8. Save and exit. Here are the commands used for this process: Open the /etc/login.defs file. Su –c ‘vi /etc/login.defs Set the Password Change directive. PASS_MAX_DAYS 60 Set the Warn directive. PASS_WARN_AGE 14 Set the password minimum length. PASS_MIN_LEN 8 Enable login failure logging. FAILLOG_ENAB Enable successful login logging. LOG_OK_LOGINS Enable the su command. SYSLOG_SU_ENAB Save and exit. (c) ITT Educational Services, Inc.

13 Managing Password Change and Expiration Dates
The following change commands are used to enforce password change and expire accounts: The command to enable user “jdoe” to change password at next login: ~]# chage -d 0 jdoe The command to expire the user account “jane” on May 31, 2011: ~]# chage -E “05/31/2011” jane

14 Using sudo Command 1 As a root user, issue the following command: ~]# visudo 2 Enable ALL privileges to user “jdoe” by using the following command: jdoe ALL=(ALL) ALL 3 Login as “jdoe” and use the following sudo command: ~]# sudo useradd maryj

15 EXPLORE: ROLES

16 Network User Verification Tools
Network Information Service (NIS) Lightweight Directory Access Protocol (LDAP). NIS- It transmits data, including password hashes, over the network without encryption." Not encrypted and not secured

17 Lightweight Directory Access Protocol (LDAP).
LDAP-May be the more secure choice Used to authenticate users on Microsoft and Apple operating systems Supports Secure Sockets Layer (SSL) and Transport Layer Security (TLS). encryption Linux implementation is known as OpenLDAP

18 Linux System Administrator
Creates user accounts Enforces user account and password policy Establishes user account policy

19 Files with Access Control List (ACL) Permissions
9/19/2018 Files with Access Control List (ACL) Permissions ACL grants special permissions that are not part of the regular file permissions. These files are used to provide a user or group special access to a file or executable without changing the file permissions. Permissions can be granted to a user (u), a group (g), and others (o). Permissions are typically read, write, and execute. Types of permissions example: A file may have the following permissions: -rw-rw---- root.root /etc/secret_file.txt The first ‘-’ means this is a file not a directory. The next three characters ‘rw-’ means the owner has read and write permissions but cannot execute these permissions as denoted by the ‘-’ symbol. The next set ‘rw-’ represents the group owner has read and write permissions. The next set ‘---’ means others have no permissions at all to the file. The next set ‘root.root” is the user owner and the group owner, user_owner.group_owner, which is root for the user owner and root for the group owner in this file. If we have a user who needs permissions to read the secret_file.txt file but does not need to change the file permissions, an ACL can be set to grant permission to a specific user or group to read the file. Scenario example: The user Jane needs special access to read the mail logs. By default, only the root account can do this. Jane doesn’t need any other privileges, so we can assign an ACL privilege for her to read the /var/log/maillog file by using the following command: Su –c ‘setfacl -m u:jane:r /var/log/maillog’ setfacl is the command to configure ACL permission The –m switch is to ‘modify’ ‘u:jane’ specifies user Jane. If this was a group, we would use g:group_name. :r specifies ‘read’ permissions’ /var/log/maillog is the file path we are granting permissions for Jane To, verify the permissions are granted to user Jane, use the following command: getfacl /var/log/maillog (c) ITT Educational Services, Inc.

20 9/19/2018 EXPLORE: CONTEXTS (c) ITT Educational Services, Inc.

21 9/19/2018 Group Account Groups provide a way to better manage accounts in the following ways: Permissions can be given to a group rather than individuals. Employees can be added or deleted from predefined groups. Groups improve the maintainability of user accounts. For example, 500 plus users in a finance department needing special privileges to accounting files can be managed in groups. (c) ITT Educational Services, Inc.

22 EXPLORE: RATIONALE

23 Pluggable Authentication Modules
PAM is used primarily to regulate access to administrative tools and commands. It works as an additional layer of security for users. You can further configure a PAM configuration file to limit access to certain services or commands to specified users

24 Using PAM An application can use its own authentication file in the /etc/pam.d directory. PAM can be used to: Allow access to specific application only during certain times of the day Deny user logins based on files and restrict the user of the su command to only certain groups or users Disconnect a user after ‘x’ number of login attempts

25 PolicyKit can provide one more layer of protection
The PolicyKit is method for customizing access for regular users, focused on GUI tools The PolicyKit assumes privileged tools associated with two distinct processes: policies and mechanisms

26 Summary In this presentation, the following concepts were covered:
System, service, and regular user accounts, group accounts, and user account policy Best practices for account management Process of establishing a user account policy, managing password change, and using sudo command Files with ACL permissions and the roles and responsibilities of a Linux system administrator Use of PAM

27 Lab 3.2-Apply Hardened User Account Management & Security Controls
Discussions and Lab Lab 3.2-Apply Hardened User Account Management & Security Controls

Download ppt "IS3440 Linux Security Unit 3 User Account Management"

Similar presentations

Linux Users and Groups Management

Linux Users and Groups Management
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Race Condition Zutao Zhu 10/09/09. Outline Race Condition –Some functions –File format of /etc/passwd and /etc/shadow –Input Redirection Format-string.

Race Condition Zutao Zhu 10/09/09. Outline Race Condition –Some functions –File format of /etc/passwd and /etc/shadow –Input Redirection Format-string.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security.
11 MANAGING USERS AND GROUPS Chapter 13. Chapter 13: MANAGING USERS AND GROUPS2 OVERVIEW  Configure and manage user accounts  Manage user account properties.

11 MANAGING USERS AND GROUPS Chapter 13. Chapter 13: MANAGING USERS AND GROUPS2 OVERVIEW  Configure and manage user accounts  Manage user account properties.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Linux Security.

Linux Security.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Guide to Operating System Security Chapter 4 Account-based Security.

Guide to Operating System Security Chapter 4 Account-based Security.
Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.

Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.

Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.

Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
IT2204: Systems Administration I 1 6b). Introduction to Linux.

IT2204: Systems Administration I 1 6b). Introduction to Linux.
1 Chapter Overview Configuring Account Policies Configuring User Rights Configuring Security Options Configuring Internet Options.

1 Chapter Overview Configuring Account Policies Configuring User Rights Configuring Security Options Configuring Internet Options.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Linux+ Guide to Linux Certification, Third Edition

Linux+ Guide to Linux Certification, Third Edition
File Permission and Access. Module 6 File Permission and Access ♦ Introduction Linux is a multi-user system where users can assign different access permission.

File Permission and Access. Module 6 File Permission and Access ♦ Introduction Linux is a multi-user system where users can assign different access permission.

Similar presentations

Ads by Google