Checking User Accounts and Privileges
Checking the system for unlocked user accounts often is considered good security practice, for example by using this command:
for u in $(awk -F: '{print $1}' /etc/passwd;); do sudo passwd -S "$u"; done | sortThe following output is displayed:
adm LK 2023-03-31 0 99999 7 -1 (Alternate authentication scheme in use.) bin LK 2023-03-31 0 99999 7 -1 (Alternate authentication scheme in use.) chrony LK 2023-06-20 -1 -1 -1 -1 (Password locked.) clevis LK 2023-06-20 -1 -1 -1 -1 (Password locked.) cockpit-wsinstance LK 2023-06-20 -1 -1 -1 -1 (Password locked.) cockpit-ws LK 2023-06-20 -1 -1 -1 -1 (Password locked.) ...
In the output from this command, the second field shows if a user account is locked
(LK), doesn't have a password (NP), or has a valid
password (PS). The third field shows the date on which the user last changed
their password. The remaining fields show the minimum age, maximum age, warning period, and
inactivity period for the password and extra information about the password's status. The unit
of time is days.
You can use the passwd command to set passwords on any accounts that aren't protected.
To lock unused accounts, use the passwd -l command. You can also use the userdel command to remove the accounts entirely.
Caution:
System accounts must be preserved. These are any accounts with user IDs that are less than 1000, and especially any user IDs that are less than 100.
For more information, see the passwd(1) and
userdel(8) manual pages.
To specify how users' passwords are aged, edit the settings in
the /etc/login.defs file that are described
in the following table.
| Setting | Description |
|---|---|
|
|
Maximum number of days for which a password can be used before it must be changed. The default value is 99,999 days. |
|
|
Minimum number of days that's allowed between password changes. The default value is 0 days. |
|
|
Number of days' warning that's provided before a password expires. The default value is 7 days. |
For more information, see the login.defs(5)
manual page.
To change the length of time a user's account can be inactive before it's locked, use the usermod command. For example, you would set the inactivity period to 30 days as follows:
sudo usermod -f 30 usernameTo change the default inactivity period for new user accounts, use the useradd command:
sudo useradd -D -f 30
A value of -1 specifies that user accounts are never locked because of
inactivity.
For more information, see the useradd(8) and
usermod(8) manual pages.
To verify that no user accounts other than
root have a user ID of 0,
you would use the following command:
sudo awk -F":" '$3 == 0 { print $1 }' /etc/passwdThe following is the output of the previous command:
root
If you install software that creates a default user account and password, it's considered good security practice to change the vendor's default password immediately. Centralized user authentication using an LDAP implementation such as OpenLDAP can centralize user authentication and management tasks, and also reduce the risks arising from unused accounts or accounts without a password.
By default, an Oracle Linux 9 system is
configured to prevent users from logging in directly as root. You must log in
as a named user before using either the su or
sudo command to perform tasks as the root user so
that system accounting can trace the original username of any user who performs a privileged
administrative action. To grant certain users authority to perform specific administrative
tasks by using the sudo command, use the visudo
command to configure the /etc/sudoers file.
For example, the following entry grants the user user1 the same privileges
as root when using the sudo command, but defines a
limited set of privileges to user2 so that they can run commands such as
systemctl, rpm, and
dnf:
user1 ALL=(ALL) ALL user2 ALL= SERVICES, SOFTWARE
For more information about setting up user accounts and authentication, see Oracle Linux 9: Setting Up System Users and Authentication.