SUSE Linux Enterprise Server Administration Course 3037

1
SUSE Linux Enterprise Server Administration
(Course 3037)

• Chapter 2
• Manage User Access and Security

2
Objectives

• Describe Basic Linux User Security Features
• Manage Linux Users and Groups
• Manage and Secure the Linux User Environment

3
Objectives (continued)

• Secure Files and Directories with Permissions
• Configure User Authentication with PAM
• Implement and Monitor Enterprise Security
  Policies

4
Describe Basic Linux User Security Features

• Maintaining a secure environment includes
• File System Security Components
• Users and Groups
• Ownership and Access Permissions

5
File System Security Components

• Types of components
• Users
• Groups
• Ownerships
• Permission

6
Users and Groups

• Users and Group ID numbers
• user ID (UID)
• Assigned to each user
• group ID (GID)
• Users are usually included in the group users
• Command id
• Displays users UID and the groups she is
  assigned
• Command groups
• Displays groups of which a user is a member
• Command finger
• Displays additional information about local users

7
Users and Groups (continued)

• Regular vs. System users
• Regular users
• Allow employees to log in to the Linux
  environment
• System users
• Used by services, utilities, and other
  applications to run effectively on the server
• Public vs. Private group schemes
• Private scheme
• User is assigned his own group that he can manage
• Public scheme
• User is assigned to a general, public group

8
Users and Groups (continued)

• User accounts and home directories
• Each user has a user account
• Identified by a login name and a personal
  password
• Each user has her own directory
• In the directory /home/
• Root account has its own home directory in /root/
• User and group configuration files
• /etc/passwd
• /etc/shadow
• /etc/group

9
Users and Groups (continued)
10
Users and Groups (continued)

• /etc/passwd
• Stores information for each user
• /etc/shadow
• Stores encrypted user passwords and password
  expiration information
• /etc/group
• Stores group information

11
Users and Groups (continued)
12
Users and Groups (continued)
13
Users and Groups (continued)
14
Users and Groups (continued)

• How to check /etc/passwd and /etc/shadow
• tail command
• Used to view the contents of both files at once
• pwconv command
• Corrects discrepancies in both files
• pwck command
• Similar to pwconv

15
Exercise 2-1 Check User and Group Information on
Your Server

• In this exercise you will check the user and
  group information on your SLES 9 server

16
Ownership and Access Permissions

• Each file and directory is assigned access
  permissions
• Permissions determine level of access
• For each user
• Permissions are assigned at 3 levels
• Owner
• Group
• Other

17
Manage Linux Users and Groups

• Tasks include
• Create and Edit User Accounts with YaST
• Create and Edit Groups with YaST
• Edit User Account Properties
• Configure Account Password Settings
• Manage User Accounts from the Command Line
• Manage Groups from the Command Line
• Create Text Login Messages

18
Create and Edit User Accounts with YaST

• Use Edit and Create Users module in YaST
• To create, edit, and delete Linux user accounts
• Steps
• Start YaST Edit and Create users module
• Select Set Filter
• Create a new user account or edit an existing one
• Enter or edit information
• Save settings
• Configure your server with the new settings

19
Create and Edit User Accounts with YaST
(continued)
20
Create and Edit User Accounts with YaST
(continued)
21
Create and Edit Groups with YaST

• Use Edit and Create groups module in YaST
• To create, edit, and delete Linux groups
• Steps
• Start YaST Edit and Create groups module
• Select Set Filter
• Create a new group or edit an existing one
• Enter or edit information
• Return to the Group Administration dialog box
• Configure your server with the new settings

22
Create and Edit Groups with YaST (continued)
23
Create and Edit Groups with YaST (continued)
24
Edit User Account Properties

• Use YaST
• To edit user account properties
• Steps
• Start YaST Edit and Create users module
• Select the user account to modify
• Edit user account properties
• Enter or edit information
• Continue by selecting Next
• Save the configuration

25
Edit User Account Properties (continued)
26
Configure Account Password Settings

• Use YaST
• To configure password settings
• Steps
• Start YaST Edit and Create users module
• Select the user account to modify
• Select Password Settings
• Enter or edit information
• Save the configuration

27
Configure Account Password Settings (continued)
28
Manage User Accounts from the Command Line

• You must be logged as root user
• Commands
• useradd
• Creates a new user account
• userdel
• Deletes an existing user account
• usermod
• Modifies settings for an existing account
• passwd
• Changes a users password

29
Manage Groups from the Command Line

• You must be logged as root user
• Commands
• groupadd
• Creates a new group
• groupdel
• Deletes an existing group
• groupmod
• Modifies settings for an existing group

30
Create Text Login Messages

• Text login messages
• Useful for displaying information when a user
  logs in
• Files
• /etc/issue
• Contains initial message for users logging into
  the system
• /etc/motd
• Contains initial message of the day

31
Exercise 2-2 Create and Manage Users and Groups
from the Command Line

• In this exercise you will set up your SLES 9
  server with user accounts and groups
• To help train the database administrators in your
  Digital Airlines office

32
Manage and Secure the Linux User Environment

• Tasks involved
• Perform Administrative Tasks as root
• Delegate Administrative Tasks with sudo
• Set Defaults for New User Accounts
• Configure Security Settings

33
Perform Administrative Tasks as root

• Switch to another user with su
• Assume the UID of root or of other users
• Syntax
• su options ...- userargument
• To change to the user root and execute a single
  command
• You can use the option -c
• Switch to another group with newgrp
• Users can have only one effective group at a time
• Commands newgrp or sg
• Change the effective group GID

34
Perform Administrative Tasks as root (continued)

• Start Programs as Another User from KDE
• In KDE you can start any program with a different
  UID
• As long as you know the password

35
Perform Administrative Tasks as root (continued)
36
Delegate Administrative Tasks with sudo

• Command sudo
• Enables a command to be run by a normal user
• File /etc/sudoers
• Specifies which commands a user can or cannot
  enter
• Modify it by using the command visudo
• Lines 1 to 9 define aliases
• Lines 14 to 17 show how aliases can be used in
  actual rules

37
Delegate Administrative Tasks with sudo
(continued)
38
Set Defaults for New User Accounts

• Use YaST to select default settings
• To be applied to new user accounts
• Enter or edit the following information
• Default group
• Secondary groups
• Default Login shell
• Default home
• Skeleton directory
• Default expiration date
• Days after password expiration Login is usable

39
Set Defaults for New User Accounts (continued)
40
Configure Security Settings

• Preset security settings
• Level 1 (Home Workstation)
• Level 2 (Networked Workstation)
• Level 3 (Network Server)
• You can also create your own configuration
• Password settings
• Checking new passwords
• Plausibility test for passwords
• Password encryption method
• DES
• MD5
• Blowfish

41
Configure Security Settings (continued)
42
Configure Security Settings (continued)

• Password settings
• Number of significant characters in the password
• Minimum acceptable password length
• Days to password change warning
• Days before password expires warning
• Boot settings
• Interpretation of Ctrl Alt Del
• Shutdown behavior of KDM

43
Configure Security Settings (continued)
44
Configure Security Settings (continued)
45
Configure Security Settings (continued)

• Login settings
• Delay after incorrect login attempt
• Record failed login attempts
• Record successful login attempts
• Allow remote graphical login
• Adding user settings
• User ID limitations
• Group ID limitations

46
Configure Security Settings (continued)
47
Configure Security Settings (continued)
48
Configure Security Settings (continued)

• Miscellaneous global settings
• Setting of file permissions
• Easy
• Secure
• Paranoid
• User launching updatedb
• Current directory in roots path
• Current directory in the path of regular users
• Enable magic SysRq keys

49
Configure Security Settings (continued)
50
Exercise 2-3 Configure the Password Security
Settings

• In this exercise you will configure the password
  security settings

51
Secure Files and Directories with Permissions

• To set permissions for files and directories, you
  need to know the following
• Permissions and Permission Values
• How to Set Permissions from the Command Line
• How to Set Permissions from a GUI Interface
• How to Modify Default Access Permissions
• How to Configure Special File Permissions
• How to Configure Additional File Attributes for
  ext2

52
Permissions and Permission Values

• Permissions to a file or directory
• Read (r)
• Write (w)
• Execute (x)
• Use command ls l
• To display contents of current directory
• With assigned permissions for each file or
  subdirectory
• Use Detailed List View in Konqueror
• To view permissions, owner, and group for each
  directory or file

53
Permissions and Permission Values (continued)
54
Permissions and Permission Values (continued)
55
How to Set Permissions from the Command Line

• chmod
• Used to add, remove, or assign permissions
  assigned to a file or directory
• Both the owner of a file and root can use this
  command
• Can be used recursively
• Supports letters rwx to indicate permissions
• You can also use groups of numbers

56
How to Set Permissions from the Command Line
(continued)
57
How to Set Permissions from the Command Line
(continued)
58
How to Set Permissions from the Command Line
(continued)
59
How to Set Permissions from the Command Line
(continued)

• chown and chgrp
• Change the owner or group assigned to a file or
  directory
• chown syntax
• chown new_user.new_group file
• chown new_user file
• chown .new_group file
• chgrp syntax
• chgrp .new_group file

60
How to Set Permissions from a GUI Interface

• You can use Konqueror in KDE to change
  permissions
• Steps
• Start Konqueror
• Right-click the file or directory to modify
• Then select Properties
• Select the Permissions tab
• Modify permissions and ownership
• Modify individual permissions (optional)
• Save configuration

61
How to Set Permissions from a GUI Interface
(continued)
62
How to Set Permissions from a GUI Interface
(continued)
63
How to Modify Default Access Permissions

• Default settings
• Files are created with access mode 666
• Directories are created with access mode 777
• Command umask
• Used to modify access mode settings
• Make the umask setting permanent
• Change the value of umask in /etc/profile file

64
How to Modify Default Access Permissions
(continued)
65
How to Modify Default Access Permissions
(continued)
66
How to Configure Special File Permissions

• Sticky bit
• Use chmod to modify it
• SUID or SGID attributes
• Programs are carried out with privileges the
  owner or the group have

67
How to Configure Special File Permissions
(continued)
68
How to Configure Additional File Attributes in
ext2

• Additional file permissions have been included in
  ext2
• And are also available in ext3
• Command chattr
• Used to set ext2 attributes
• Command lsattr
• Used to display ext2 attributes

69
How to Configure Additional File Attributes in
ext2 (continued)
70
How to Configure Additional File Attributes in
ext2 (continued)
71
How to Configure Additional File Attributes in
ext2 (continued)
72
Exercise 2-4 Set Permissions for Files and
Directories from the Command Line

• In this exercise you will set permissions for
  files and directories
• From the command line

73
Configure User Authentication with PAM

• PAM (Pluggable Authentication Modules)
• Used by Linux in the authentication process
• As a layer that communicates between users and
  applications
• Lets you configure and change authentication
  methods
• Between users and individual applications

74
Location and Purpose of PAM Configuration Files

• PAM provides a variety of modules
• Configuration files location
• /etc/pam.d/program_name
• Global configuration files directory
• /etc/security

75
Location and Purpose of PAM Configuration Files
(continued)
76
PAM Configuration File Structure
77
PAM Configuration File Examples

• pam_securetty.so
• Determines which terminal can be regarded as
  secure
• User root can log in only at these terminals
• pam_nologin.so
• Use this module to prevent users from logging
  into the system

78
PAM Documentation Resources

• PAM documentation is available in directory
  /usr/share/doc
• READMEs
• The Linux-PAM System Administrators Guide
• The Linux-PAM Module Writers Manual
• The Linux-PAM Application Developers Guide

79
Exercise 2-5 Configure PAM Authentication for
Digital Airlines Employees

• In this exercise, you perform tests that prevent
  all normal users from logging in
• To see how PAM is used by the system

80
Implement and Monitor Enterprise Security Policies

• Objectives
• Guidelines for Implementing Security Policies
• Security Rules and Tips
• SuSE Security Information Resources
• How to Monitor Login Activity

81
Guidelines for Implementing Security Policies

• Local security and user accounts
• Main goal of local security
• Keep users separate from each other
• Linux password encryption
• Password are stored encrypted
• Each time it is entered, it is encrypted again
• Encrypted passwords are compared
• Boot procedure protection
• Prevents system from booting using a floppy disk
  or CD
• File permission configuration
• Always work with the most restrictive privileges
  possible for a given task

82
Guidelines for Implementing Security Policies
(continued)

• Local security and user accounts (continued)
• File permission configuration (continued)
• Special permission files in directory /etc/
• permissions
• permissions.easy
• permissions.secure
• permissions.paranoid
• Network security and local security
• Network security
• Protects a network from an attack that is started
  outside
• Login procedure is still a local security issue

83
Security Rules and Tips

• Rules and tips
• Use most restrictive set of permissions possible
• Use encrypted connections for a remote machine
• Avoid authentication based on IP addresses alone
• Keep network-related packages up-to-date
• Disable any network services you do not require
• Verify the integrity of any SUSE RPM package
• Check backups of user and system files regularly
• Check your log files
• Use SUSEfirewall
• Design your security measures to be redundant

84
SUSE Security Information Resources

• Install updated packages
• Recommended by security announcements
• SUSE security announcements
• Published on a mailing list
• You can subscribe by using the following link
  www.suse.de/security
• Other resources
• suse-securityannounce_at_suse.de list
• suse-security_at_suse.de mailing list
• bugtraq_at_securityfocus.com

85
How to Monitor Login Activity

• who command
• Shows who is currently logged in to the system
• And information such as the time of the last
  login
• w command
• Displays information about the users currently on
  the machine and their processes
• finger command
• Displays information about local and remote
  system users

86
How to Monitor Login Activity (continued)

• last command
• Displays a listing of the last logged-in users
• lastlog command
• Formats and prints the contents of the last login
  log file (/var/log/lastlog)
• faillog
• Formats and displays the contents of the failure
  log (/var/log/faillog)
• Maintains failure counts and limits

87
Exercise 2-6 Change the Security Settings

• SUSE provides configuration files for locking
  down your system
• From a files perspective, there are three
  settings easy, secure, and paranoid
• In this exercise, you change to the paranoid
  setting and observe the impact on the system

88
Summary

• Each user has a UID and a primary GID
• Linux systems store user information in
  /etc/passwd
• And password information in /etc/shadow
• Group information is stored in the /etc/group
  file
• User and group commands
• useradd, usermod, userdel
• groupadd, groupmod, groupdel
• passwd command
• Used to change user account passwords, lock user
  accounts, and control password expiry settings

89
Summary (continued)

• su and newgrp commands
• Used to change current UID and GID
• sudo command
• Grants rights to run certain commands as other
  users
• Security Settings module in YaST
• Used to configure default security-related
  settings
• You can assign read, write, and execute
  permissions to files and directories
• chmod, chown, and chgrp commands
• Used to change permissions on files and
  directories

90
Summary (continued)

• New files and directories receive default
  permissions
• chattr and lsattr commands
• Change and list file attributes
• PAM provides an extra layer of security
• Between applications and system files
• Uses modules that determine access restrictions
• Security policies
• Provide for standardized security within an
  organization