suse linux enterprise server administration (course 3037) chapter 2 manage user access and security

SUSE Linux Enterprise Server Administration (Course 3037)

Chapter 2Manage User Access and Security

SUSE Linux Enterprise Server Administration (Course 3037) 2

Objectives

• Describe Basic Linux User Security Features

• Manage Linux Users and Groups

• Manage and Secure the Linux User Environment


Objectives (continued)

• Secure Files and Directories with Permissions

• Configure User Authentication with PAM

• Implement and Monitor Enterprise Security Policies


Describe Basic Linux User Security Features

• Maintaining a secure environment includes– File System Security Components– Users and Groups– Ownership and Access Permissions


File System Security Components

• Types of components– Users– Groups– Ownerships– Permission


Users and Groups

• Users and Group ID numbers– user ID (UID)

• Assigned to each user– group ID (GID)

• Users are usually included in the group users– Command id

• Displays user’s UID and the groups she is assigned– Command groups

• Displays groups of which a user is a member– Command finger

• Displays additional information about local users


Users and Groups (continued)

• Regular vs. System users– Regular users

• Allow employees to log in to the Linux environment– System users

• Used by services, utilities, and other applications to run effectively on the server

• Public vs. Private group schemes– Private scheme

• User is assigned his own group that he can manage– Public scheme

• User is assigned to a general, public group



• User accounts and home directories– Each user has a user account

• Identified by a login name and a personal password– Each user has her own directory

• In the directory /home/• Root account has its own home directory in /root/

• User and group configuration files– /etc/passwd– /etc/shadow– /etc/group



• /etc/passwd– Stores information for each user

• /etc/shadow– Stores encrypted user passwords and password

expiration information

• /etc/group– Stores group information



• How to check /etc/passwd and /etc/shadow– tail command

• Used to view the contents of both files at once

– pwconv command• Corrects discrepancies in both files

– pwck command• Similar to pwconv


Exercise 2-1 Check User and Group Information on Your Server

• In this exercise you will check the user and group information on your SLES 9 server


Ownership and Access Permissions

• Each file and directory is assigned access permissions

• Permissions determine level of access– For each user

• Permissions are assigned at 3 levels– Owner– Group– Other


Manage Linux Users and Groups

• Tasks include– Create and Edit User Accounts with YaST– Create and Edit Groups with YaST– Edit User Account Properties– Configure Account Password Settings– Manage User Accounts from the Command Line– Manage Groups from the Command Line– Create Text Login Messages


Create and Edit User Accounts with YaST

• Use Edit and Create Users module in YaST– To create, edit, and delete Linux user accounts

• Steps– Start YaST Edit and Create users module– Select Set Filter– Create a new user account or edit an existing one– Enter or edit information– Save settings– Configure your server with the new settings


Create and Edit User Accounts with YaST (continued)


Create and Edit Groups with YaST

• Use Edit and Create groups module in YaST– To create, edit, and delete Linux groups

• Steps– Start YaST Edit and Create groups module– Select Set Filter– Create a new group or edit an existing one– Enter or edit information– Return to the Group Administration dialog box– Configure your server with the new settings


Create and Edit Groups with YaST (continued)


Edit User Account Properties

• Use YaST– To edit user account properties

• Steps– Start YaST Edit and Create users module– Select the user account to modify– Edit user account properties– Enter or edit information– Continue by selecting Next– Save the configuration


Edit User Account Properties (continued)


Configure Account Password Settings

• Use YaST– To configure password settings

• Steps– Start YaST Edit and Create users module– Select the user account to modify– Select Password Settings– Enter or edit information– Save the configuration


Configure Account Password Settings (continued)


Manage User Accounts from the Command Line

• You must be logged as root user• Commands

– useradd• Creates a new user account

– userdel• Deletes an existing user account

– usermod• Modifies settings for an existing account

– passwd• Changes a user’s password


Manage Groups from the Command Line

• You must be logged as root user• Commands

– groupadd• Creates a new group

– groupdel• Deletes an existing group

– groupmod• Modifies settings for an existing group


Create Text Login Messages

• Text login messages– Useful for displaying information when a user logs in

• Files– /etc/issue

• Contains initial message for users logging into the system

– /etc/motd• Contains initial message of the day


Exercise 2-2 Create and Manage Users and Groups from the Command

Line

• In this exercise you will set up your SLES 9 server with user accounts and groups– To help train the database administrators in your

Digital Airlines office


Manage and Secure the Linux User Environment

• Tasks involved– Perform Administrative Tasks as root– Delegate Administrative Tasks with sudo– Set Defaults for New User Accounts– Configure Security Settings


Perform Administrative Tasks as root

• Switch to another user with su– Assume the UID of root or of other users– Syntax

• su [options] ...[-] [user[argument]]– To change to the user root and execute a single

command• You can use the option -c

• Switch to another group with newgrp– Users can have only one effective group at a time– Commands newgrp or sg

• Change the effective group GID


Perform Administrative Tasks as root (continued)

• Start Programs as Another User from KDE– In KDE you can start any program with a different UID

• As long as you know the password


Perform Administrative Tasks as root (continued)


Delegate Administrative Tasks with sudo

• Command sudo– Enables a command to be run by a normal user

• File /etc/sudoers– Specifies which commands a user can or cannot

enter

– Modify it by using the command visudo– Lines 1 to 9 define aliases– Lines 14 to 17 show how aliases can be used in

actual rules


Delegate Administrative Tasks with sudo (continued)


Set Defaults for New User Accounts

• Use YaST to select default settings– To be applied to new user accounts

• Enter or edit the following information– Default group– Secondary groups– Default Login shell– Default home– Skeleton directory– Default expiration date– Days after password expiration Login is usable


Set Defaults for New User Accounts (continued)


Configure Security Settings

• Preset security settings– Level 1 (Home Workstation)– Level 2 (Networked Workstation)– Level 3 (Network Server)

• You can also create your own configuration• Password settings

– Checking new passwords– Plausibility test for passwords– Password encryption method

• DES• MD5• Blowfish


Configure Security Settings (continued)



• Password settings– Number of significant characters in the password– Minimum acceptable password length– Days to password change warning– Days before password expires warning

• Boot settings– Interpretation of Ctrl + Alt + Del– Shutdown behavior of KDM



• Login settings– Delay after incorrect login attempt– Record failed login attempts– Record successful login attempts– Allow remote graphical login

• Adding user settings– User ID limitations– Group ID limitations



• Miscellaneous global settings– Setting of file permissions

• Easy• Secure• Paranoid

– User launching updatedb– Current directory in root’s path– Current directory in the path of regular users– Enable magic SysRq keys


Exercise 2-3 Configure the Password Security Settings

• In this exercise you will configure the password security settings


Secure Files and Directories with Permissions

• To set permissions for files and directories, you need to know the following:– Permissions and Permission Values– How to Set Permissions from the Command Line– How to Set Permissions from a GUI Interface– How to Modify Default Access Permissions– How to Configure Special File Permissions– How to Configure Additional File Attributes for ext2


Permissions and Permission Values

• Permissions to a file or directory– Read (r)– Write (w)– Execute (x)

• Use command ls –l– To display contents of current directory

• With assigned permissions for each file or subdirectory

• Use Detailed List View in Konqueror– To view permissions, owner, and group for each

directory or file


Permissions and Permission Values (continued)


How to Set Permissions from the Command Line

• chmod– Used to add, remove, or assign permissions assigned

to a file or directory– Both the owner of a file and root can use this

command– Can be used recursively– Supports letters rwx to indicate permissions

• You can also use groups of numbers


How to Set Permissions from the Command Line (continued)



• chown and chgrp– Change the owner or group assigned to a file or

directory– chown syntax

• chown new_user.new_group file• chown new_user file• chown .new_group file

– chgrp syntax• chgrp .new_group file


How to Set Permissions from a GUI Interface

• You can use Konqueror in KDE to change permissions

• Steps– Start Konqueror– Right-click the file or directory to modify

• Then select Properties– Select the Permissions tab– Modify permissions and ownership– Modify individual permissions (optional)– Save configuration


How to Set Permissions from a GUI Interface (continued)


How to Modify Default Access Permissions

• Default settings– Files are created with access mode 666– Directories are created with access mode 777

• Command umask– Used to modify access mode settings

• Make the umask setting permanent– Change the value of umask in /etc/profile file


How to Modify Default Access Permissions (continued)


How to Configure Special File Permissions

• Sticky bit– Use chmod to modify it

• SUID or SGID attributes– Programs are carried out with privileges the owner or

the group have


How to Configure Special File Permissions (continued)


How to Configure Additional File Attributes in ext2

• Additional file permissions have been included in ext2– And are also available in ext3

• Command chattr– Used to set ext2 attributes

• Command lsattr– Used to display ext2 attributes


How to Configure Additional File Attributes in ext2 (continued)


Exercise 2-4 Set Permissions for Files and Directories from the Command

Line

• In this exercise you will set permissions for files and directories– From the command line


Configure User Authentication with PAM

• PAM (Pluggable Authentication Modules)– Used by Linux in the authentication process

• As a layer that communicates between users and applications

– Lets you configure and change authentication methods

• Between users and individual applications


Location and Purpose of PAM Configuration Files

• PAM provides a variety of modules• Configuration files location

– /etc/pam.d/program_name• Global configuration files directory

– /etc/security


Location and Purpose of PAM Configuration Files (continued)


PAM Configuration File Structure


PAM Configuration File Examples

• pam_securetty.so– Determines which terminal can be regarded as secure– User root can log in only at these terminals

• pam_nologin.so– Use this module to prevent users from logging into the

system


PAM Documentation Resources

• PAM documentation is available in directory /usr/share/doc– READMEs– The Linux-PAM System Administrators’ Guide– The Linux-PAM Module Writers’ Manual– The Linux-PAM Application Developers’ Guide


Exercise 2-5 Configure PAM Authentication for Digital Airlines

Employees

• In this exercise, you perform tests that prevent all normal users from logging in – To see how PAM is used by the system


Implement and Monitor Enterprise Security Policies

• Objectives– Guidelines for Implementing Security Policies– Security Rules and Tips– SuSE Security Information Resources– How to Monitor Login Activity


Guidelines for Implementing Security Policies

• Local security and user accounts– Main goal of local security

• Keep users separate from each other– Linux password encryption

• Password are stored encrypted• Each time it is entered, it is encrypted again

– Encrypted passwords are compared– Boot procedure protection

• Prevents system from booting using a floppy disk or CD– File permission configuration

• Always work with the most restrictive privileges possible for a given task


Guidelines for Implementing Security Policies (continued)

• Local security and user accounts (continued)– File permission configuration (continued)

• Special permission files in directory /etc/– permissions– permissions.easy– permissions.secure– permissions.paranoid

– Network security and local security• Network security

– Protects a network from an attack that is started outside

• Login procedure is still a local security issue


Security Rules and Tips

• Rules and tips– Use most restrictive set of permissions possible

– Use encrypted connections for a remote machine

– Avoid authentication based on IP addresses alone

– Keep network-related packages up-to-date

– Disable any network services you do not require

– Verify the integrity of any SUSE RPM package

– Check backups of user and system files regularly

– Check your log files

– Use SUSEfirewall

– Design your security measures to be redundant


SUSE Security Information Resources

• Install updated packages – Recommended by security announcements

• SUSE security announcements– Published on a mailing list

– You can subscribe by using the following link: www.suse.de/security

• Other resources– [email protected] list– [email protected] mailing list– [email protected]


How to Monitor Login Activity

• who command– Shows who is currently logged in to the system

• And information such as the time of the last login

• w command– Displays information about the users currently on the

machine and their processes• finger command

– Displays information about local and remote system users


How to Monitor Login Activity (continued)

• last command– Displays a listing of the last logged-in users

• lastlog command– Formats and prints the contents of the last login log

file (/var/log/lastlog)

• faillog– Formats and displays the contents of the failure log

(/var/log/faillog)– Maintains failure counts and limits


Exercise 2-6 Change the Security Settings

• SUSE provides configuration files for locking down your system

• From a files perspective, there are three settings: easy, secure, and paranoid

• In this exercise, you change to the paranoid setting and observe the impact on the system


Summary

• Each user has a UID and a primary GID

• Linux systems store user information in /etc/passwd – And password information in /etc/shadow

• Group information is stored in the /etc/group file

• User and group commands– useradd, usermod, userdel– groupadd, groupmod, groupdel

• passwd command– Used to change user account passwords, lock user

accounts, and control password expiry settings


Summary (continued)

• su and newgrp commands– Used to change current UID and GID

• sudo command– Grants rights to run certain commands as other users

• Security Settings module in YaST– Used to configure default security-related settings

• You can assign read, write, and execute permissions to files and directories

• chmod, chown, and chgrp commands– Used to change permissions on files and directories


Summary (continued)

• New files and directories receive default permissions

• chattr and lsattr commands– Change and list file attributes

• PAM provides an extra layer of security – Between applications and system files– Uses modules that determine access restrictions

• Security policies– Provide for standardized security within an

organization

suse linux enterprise server administration (course 3037) chapter 2 manage user access and security

Documents