Ubuntu User Auditing and Account Policies

When I started with CyberPatriot, finding a straightforward guide to harden Linux systems was challenging. While forums like StackOverflow provided commands to remove users or tweak PAM settings, they often lacked clarity and context. This guide is the first in a series to simplify Linux system hardening. It provides the commands and reasoning behind them to help you learn and understand without simply following a checklist.

Basic User Auditing

User accounts are a gateway to the system, and improperly managed accounts are a common vulnerability. Let’s start by auditing and managing users to ensure only authorized accounts exist and follow best practices.

Disable the Guest Account

The guest account is often enabled by default, providing a passwordless login option. Disabling it ensures unauthorized users can’t exploit this access point.

LightDM:

sudo sh -c 'printf "[Seat:*]\nallow-guest=false\n" >/etc/lightdm/lightdm.conf.d/50-no-guest.conf'

GDM3:

sudo sed -i.bak '/^\[security\]/a AllowGuest=false' /etc/gdm3/custom.conf || echo -e "\n[security]\nAllowGuest=false" | sudo tee -a /etc/gdm3/custom.conf

Remove Unauthorized and Hidden Users

Attackers might modify accounts to have root access to the system or create accounts that shouldn't exist. The best way to find them is to look in the /etc/passwd file. There, we'll see the following:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
root_imposter:x:0:0:root_imposter:/root:/bin/bash
unauthorized_user:x:1002:1002:Unauthorized User:/home/unauthorized_user:/bin/bash

Above, you'll notice the following accounts: root_imposter and unauthorized_user. To fix the root_imposter assuming they should be on the system to replace the 0:0 with a number that no one has, such as 2001:2001. For the users that shouldn't be on the system, such as unauthorized_user, we'll need to delete them by running the following command for each unauthorized user:

sudo userdel unauthorized_user

Secure Root Access

The root account is a prime target for attackers. Ensure its password is not blank by setting it with the following command:

sudo passwd root

Remove Unnecessary Users

System-specific accounts like ftp may serve no purpose on your setup. Removing them reduces the attack surface.

sudo userdel ftp

Control Administrative Privileges

Regular users shouldn’t have administrative rights unless explicitly required. Remove users from the sudo group to limit privileges.

sudo usermod -G <group> <user>

Create and Manage Groups

Groups streamline permission management. Create a group, then add users to it for structured access control.

groupadd <group>

sudo usermod -aG <group> <user>

Secure Login Practices

Passwordless logins and insecure passwords are significant vulnerabilities. Set strong passwords and ensure users cannot log in without them.

sudo passwd <user>

Enhancing Password Policies

Password policies enforce the strength and longevity of passwords, ensuring they resist standard attack methods. Let’s explore ways to configure robust password policies.

Prevent the Reuse of Old Passwords

Limit how frequently users can reuse old passwords by enabling the remember parameter in PAM configuration.

sudo sed -i '/^password.*pam_unix.so/ s/$/ remember=5/' /etc/pam.d/common-password

Enhance Password Complexity

Use modules like libpam-cracklib and libpam-pwquality to enforce complexity rules, such as requiring uppercase letters, digits, and special characters.

sudo apt-get install -y libpam-cracklib
sudo sed -i '/pam_cracklib.so/ s/$/ retry=3 minlen=12 difok=3/' /etc/pam.d/common-password

Strengthen Password Hashing

Always hash passwords using secure algorithms like SHA512. Modify the system’s hashing mechanism to guarantee security.

sudo sed -i 's/^password.*pam_unix.so.*/password   [success=1 default=ignore] pam_unix.so sha512 shadow try_first_pass/' /etc/pam.d/common-password

Enforce System-Wide Defaults

Default settings ensure new accounts automatically comply with secure practices. Adjust maximum and minimum password ages globally.

sudo sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS   90/' /etc/login.defs
sudo sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS   7/' /etc/login.defs

Set Password Expiration

Forcing periodic password changes limits the exposure of compromised credentials. Set both a maximum and minimum age for passwords.

sudo chage -M 90 <user>  # Maximum age of 90 days
sudo chage -m 7 <user>   # Minimum age of 7 days

Locking Down System Accounts

System accounts often don’t require interactive logins. Limiting their capabilities reduces the risk of privilege escalation or abuse.

Disable Password Logins for System Accounts

Prevent system accounts from being used for interactive logins by invalidating their passwords.

sudo usermod -p '!' <systemuser>

Disable Shell Access for System Users

Many system accounts don’t need an interactive shell. Assigning a “nologin” shell prevents unauthorized use.

sudo usermod -s /usr/sbin/nologin <systemuser>

Configuring Account Security Features

Beyond user management, configuring system-wide account security features can further protect your system from unauthorized access.

Secure Insecure Consoles

Remove unnecessary tty lines from /etc/securety to prevent root logins on insecure consoles.

sudo sed -i '/^tty[1-9]/d' /etc/securety

Disable Null Password Authentication

Null passwords are a glaring vulnerability. Ensure PAM is configured to reject empty passwords.

sudo sed -i 's/nullok//g' /etc/pam.d/common-password

Hide Usernames on the Login Screen

Displaying usernames on the login greeter gives attackers information to exploit. Configure the greeter to hide this information.

sudo sed -i '/^#  greeter-hide-users=/c\greeter-hide-users=true' /etc/lightdm/lightdm.conf

Implement Account Lockout Policies

Too many failed login attempts should trigger a temporary lockout. Use the pam_tally2 module to configure lockout thresholds.

sudo sed -i '/pam_tally2.so/ s/deny=[0-9]*/deny=5 unlock_time=600/' /etc/pam.d/common-auth

Conclusion

The first steps in hardening a Linux system are securing user accounts and implementing firm policies. Following these guidelines will establish a secure foundation for your system. In the next section, we will investigate best practices for local networks.