Linux System and User Security Module 15 PDF
Document Details
Uploaded by MemorablePointillism
null
2019
Tags
Summary
This document is a module on Linux system and user security, encompassing various user types, accounts, permissions, and commands for managing users and accounts. It covers topics such as users and permissions, administrative accounts, switching users, privileged commands, user accounts, passwords, system accounts, group accounts, viewing user accounts, viewing user information, viewing current users, and viewing login history.
Full Transcript
Module 15 System and User Security Exam Objective 5.1 Basic Security and Identifying User Types Objective Description Various types of users on a Linux system. Identifying User Accounts Users and Permissions User accounts are designed to provide security on a Linux operating system. User ac...
Module 15 System and User Security Exam Objective 5.1 Basic Security and Identifying User Types Objective Description Various types of users on a Linux system. Identifying User Accounts Users and Permissions User accounts are designed to provide security on a Linux operating system. User accounts allow or disallow a person access to files and directories using file permissions. User accounts also belong to groups. This chapter covers commands that provide the ability to view user and group account information and how to switch to other user accounts. Administrative Accounts Some commands require administrative or root privileges. Using root has risks, it is recommended to use sudo or su command to execute commands as root. Risks with logging in as root: ○ Everything will run as root (background processes, executables) ○ May forget you are logged in as root ○ May accidentally run non-admin tasks as root Switching Users The su command allows you to run a shell as a different user. su [options] [username] Using the login shell option results in fully configuring the new shell with settings of new user. If username is not specified su opens a new shell as root su - user. su - root After pressing Enter, user must provide password of root user. Use the exit command sysadmin@localhost:~$ su - to return to original shell (user account). Password: root@localhost:~# exit logout Executing Privileged Commands The sudo command also allows users to execute commands as another user. Can be used in distributions that do not allow root user login. Prompts for the user’s own password instead that of the root sysadmin@localhost:~$ sudo head /etc/shadow user. [sudo] password for sysadmin: Results in an entry placed in a log file for accountability and User Accounts The /etc directory contains files which contain account data of users and groups defined on the system. The /etc/passwd file defines some account information for user accounts. ○ Each line contains informationAdministrator,,,,:/home/sysadmin:/bin/bash sysadmin:x:1001:1001:System about a single user. ○ Contains; Name, Password Placeholder, User ID, Primary Group ID, Comment, Home Directory, Shell (fields are separated by a colon) Use grep command to check if user is defined on system. Passwords The etc/shadow file contains user password information (must be logged in as root). sysadmin:$6$c75ekQWF$.GpiZpFnIXLzkALjDpZXmjxZcIll14OvL2mFSIfnc1aU2cQ/ 221QL5AX5RjKXpXPJRQ0uVN35TY3/..c7v0.n0:16874:5:30:7:60:15050:: Fields include: ○ Username: Username of the account (matches username in /etc/passwd) ○ Password: Encrypted password for the account ○ Last Change: Last time password was changed ○ Min: Minimum # of days between password changes ○ Max: Max # of days password is valid ○ Warn: Number of days before password expiry in the system warns the user ○ Inactive: Grace period in which user’s password can be changed ○ Expire: Number of days when user accounts will expire (from January 1, 1970) ○ Reserved: Currently not used, this field is reserved for future use System Accounts Users log in using regular accounts (UID > 1000). Special access root account (UID > 0). System accounts are designed for services running on the system (UID 1-499) System accounts in /etc/passwd and /etc/shadow have some different fields: ○ Home directory - typically do not have ○ Shell: Uses nologin ○ Password: Uses * Group Accounts Each user can be a member of one or more groups. The /etc/passwd file defines the primary group membership for a user. The /etc/group file defines supplemental (or secondary) group membership. mail:x:12:mail,postfix Fields include: ○ Group Name: Field contains the group name ○ Password Holder: The x means password is not stored in this file ○ GID: Unique group ID associated with group ○ User List: Lists members in the group Viewing User Accounts Viewing User Information The id command is used to print user and group information. sysadmin@localhost:~$ id uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin),4(adm),27(sudo) Output: ○ Lists user account information first (UID (uid=1001) and username (sysadmin)) ○ After username, the primary group is listed (group ID and group name) ○ Other information includes other groups user belongs to (group IDs and group names) To display information for a specific account, use the username as an argument. To print only secondary group membership use the -G option. Viewing Current Users The who command lists users who are currently logged in, as well as where and when they logged in. sysadmin@localhost:~$ who root tty2 2013-10-11 10:00 sysadmin tty1 2013-10-11 09:58 (:0) sysadmin pts/0 2013-10-11 09:59 (:0.0) Output: ○ Username: Indicates user who is logged in and has an open session. ○ Terminal: Indicates which terminal window the user is working in. tty indicates a local login whereas pts indicates a pseudo terminal. ○ Date: Indicates when user logged in. A hostname means user logged in remotely. A colon and number means a graphical local login. No location info means user logged in via local command line. Viewing Current Users The w command provides more detailed information about users currently on the system. Provides info about system status. Output looks like: sysadmin@localhost:~$ w 10:44:03 up 50 min, 4 users, load average: 0.78, 0.44, 0.19 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty2 - 10:00 43:44 0.01s 0.01s -bash sysadmin tty1 :0 09:58 50:02 5.68s 0.16s pam: gdm- password sysadmin pts/0 :0.0 09:59 0.00s 0.14s 0.13s ssh 192.168.1.2 sysadmin pts/1 example.com 10:00 0.00s 0.03s 0.01s w Viewing Login History The last command reads the /var/log/wtmp file all login records. Shows previous login sessions as well as current login information. sysadmin@localhost:~$ last sysadmin console Tue Sep 18 02:31 still logged in sysadmin console Tue Sep 18 02:31 - 02:31 (00:00) wtmp begins Tue Sep 18 02:31:57 2018