Thursday, 30 July 2015

Managing Users and Authentication

Managing Users and Authentication

When it comes to security of users and authentication often Linux Admins can overlook and invoke a big security hole. Check the system for unused and unlocked user accounts on a regular basis, and set passwords on any accounts that aren't protected. Make sure that no non-root user accounts have the user ID of 0.

When you install software like oracle or any other software that creates a default user account and password, be sure to change the vendor's default password immediately. A centralized user authentication method (such as OpenLDAP or other LDAP implementations) can help to simplify user authentication and management tasks, which might help to lower the risk of unused accounts or accounts with null passwords.

To tell exactly who has performed a privileged administrative action, set up the system so it is not possible to log in directly as root. Instead, all administrators should log in to the system first as a named user and then use the su or sudo commands to perform tasks as root. To prevent users from logging in as root directly, edit the /etc/passwd file, changing the shell from /bin/bash to /sbin/nologin. Modify the /etc/sudoers file using visudo to grant specific users authority to perform administrative tasks.

Oracle Linux supports PAM, which makes it easier to enforce strong user authentication and password policies, including password complexity, length, age, expiration rules. PAM also prevents the use of previous passwords. It can be configured to block user access after too many failed login attempts, after normal working hours, or if too many concurrent sessions are opened. PAM is highly customizable by adding different modules, and you can add external password integrity checkers to test password strength.

No comments:

Post a Comment