Checking User Accounts and Privileges
Checking the system for unlocked user accounts often is considered good security practice, for example by using this command:
for u in $(awk -F: '{print $1}' /etc/passwd;); do sudo passwd -S "$u"; done | sortThe following output is displayed:
adm L 2025-01-29 0 99999 7 -1
bin L 2025-01-29 0 99999 7 -1
chrony L 2025-06-13 -1 -1 -1 -1
clevis L 2025-08-28 -1 -1 -1 -1
... In the output from this command, the second field shows if a user account is locked
(L), doesn't have a password (NP), or has a valid
password (P). The third field shows the date on which the user last changed
their password. The remaining fields show the minimum age, maximum age, warning period, and
inactivity period for the password and extra information about the password's status. The unit
of time is days.
You can use the passwd command to set passwords on any accounts that aren't protected.
To lock unused accounts, use the passwd -l command. You can also use the userdel command to remove the accounts entirely.
Caution:
System accounts must be preserved. These are any accounts with user IDs that are less than 1000.
For more information, see the passwd(1) and
userdel(8) manual pages.
To specify how users' passwords are aged, edit the settings in
the /etc/login.defs file that are described
in the following table.
| Setting | Description |
|---|---|
|
|
Maximum number of days for which a password can be used before it must be changed. If no value is specified, the default behavior is to set the value to |
|
|
Minimum number of days that's allowed between password changes. If no value is specified, the default behavior is to set the value to |
|
|
Number of days' warning that's provided before a password expires. A value of |
For more information, see the login.defs(5)
manual page.
To change the length of time a user's account can be inactive before it's locked, use the usermod command. For example, you would set the inactivity period to 30 days as follows:
sudo usermod -f 30 usernameTo change the default inactivity period for new user accounts, use the useradd command:
sudo useradd -D -f 30 A value of -1 specifies that user accounts are never locked because of
inactivity.
For more information, see the useradd(8) and
usermod(8) manual pages.
To verify that no user accounts other than
root have a user ID of 0,
you would use the following command:
sudo awk -F":" '$3 == 0 { print $1 }' /etc/passwdThe following is the output of the previous command:
rootIf you install software that creates a default user account and password, it's considered good security practice to change the vendor's default password immediately. Centralized user authentication using an LDAP implementation such as OpenLDAP can centralize user authentication and management tasks, and also reduce the risks arising from unused accounts or accounts without a password.
By default, an Oracle Linux 10 system is configured to prevent users from signing in directly as root. If a root user hasn't been created during the initial system installation, sign in as a named user and then use either the su or sudo command to perform tasks as the root user so that system accounting can trace the original username of any user who performs a privileged administrative action. To grant certain users authority to perform specific administrative tasks by using the sudo command, use the visudo command to configure the /etc/sudoers file.
For example, the following entry grants the user user1 the same privileges
as root when using the sudo command, but defines a
limited set of privileges to user2 so that they can run commands such as
systemctl, rpm, and
dnf:
user1 ALL=(ALL) ALL
user2 ALL= SERVICES, SOFTWAREFor more information about setting up user accounts and authentication, see Oracle Linux 10: Setting Up System Users and Authentication.