maandag 7 juli 2008

Checklist for adding login accounts

Managing login accounts is quite complex nowadays. I decided to make a checklist.

User, only remote access, expires, password aging, restrict openssh, poly-instantiation, no su (%wheel) , no sudo, no exec user content, quota, login limits, nproc limits, mcs categories. no cron (cron.allow), no at (at.allow).

1. Add a login account
/usr/sbin/useradd -c "Full name" -e 2008-12-31 -G realusers,sshusers -K PASS_MAX_DAYS=180 -K PASS_MIN_DAYS=7 -K PASS_MIN_LEN=8 -K PASS_WARN_AGE=7 -p 'password as returned by crypt (3)' 'user_name'

2. Disable perrmissions to execute user content (one time)
/usr/sbin/setsebool -P allow_user_exec_content off

3. Enable poly-instantiation
/usr/sbin/setsebool -P allow_polyinstantiation on
mkdir /home/'user_name'/'user_name'.inst
chmod -R 000 /home/'user_name'/'user_name'.inst

4. Deny local access
echo "- : 'user_name' : LOCAL" >> /etc/security/access.conf

5. set limits
echo "'user_name' - nlogins 3" >> /etc/security/limits.conf
echo "'user_name' hard nprocs 15" >> /etc/security/limits.conf

6. Restrict ssh
echo """Match User 'user_name'
X11Forwarding no
AllowTcpForwarding no""" >> /etc/ssh/ssh_config

7. Assign selinux usergroup,domain and categories
/usr/sbin/semanage user -a -L s0 -r "s0-s0:c4" -R user_r -P user 'user_name'
/use/sbin/semanage login -a -s 'user_name' -r "s0-s0:c4" 'user_name'
cp /etc/selinux/targeted/contexts/users/user_u /etc/selinux/targeted/contexts/users/'user_name'

8. User quota
/usr/sbin/setquota -r -u 'user _name' 7500 10000 7500 10000 -a

Geen opmerkingen: