Account and Access Control

Post date: Oct 10, 2012 2:25:45 PM

Greenplum recommends taking the following steps to limit the ability of unauthorized users to gain shell access to privileged accounts. As a matter of best practices, direct root logins should be allowed only for emergency use and for maintenance or upgrade operations. For normal operations, the administrator should access the system as a unique unprivileged account and use su or sudo to execute privileged commands. This improves accountability by ensuring all actions of the administrator are audited.

1.Restrict root logins to system console

Verify that the file /etc/security only contains the following entries:

The primary system console device: console

The virtual console devices: tty1, tty2,...

The deprecated virtual console interface may be retained for backward compatibility: vc/1, vc/2,...

The serial consoles may be added: ttyS0, ttyS1

2.Block shell and login access for non-root system accounts

System accounts are not associated with a human user of the system, typically with UID < 500, and exist to perform some administrative tasks. These accounts should be locked and access to shell restricted to prevent unauthorized users from gaining access to the shell through these accounts.

To find all the accounts, UIDs, and shells, run the following command:

awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd

Identify all the system accounts, UID < 500, and ensure the accounts are locked and the shells are set to either /sbin/nologin or an invalid value.

For the system accounts identified, lock the account and set the shell to /sbin/nologin.

usermod -L {system account}

usermod -s /sbin/nologin {system account}

3.Limit su access to the root account

Ensure the group wheel exists and the usernames of all administrators who should be allowed to execute commands as root are members of that group.

grep ^wheel /etc/group

Edit the file /etc/pam.d/su to uncomment the line corresponding to the pam_wheel.so module to require a user to be in the wheel group.

auth required pam_wheel.so use_uid

4.Configure sudo to improve auditing of root access

Edit the file /etc/sudoers to uncomment the line: %wheel ALL=(ALL) ALL

5.Verify all accounts have password fields

That is, no account can have an empty password field.

awk -F: '($2 == "") {print}' /etc/shadow

Lock any account that is output on running this command.

6.Verify all account password hashes are shadowed

Verify there are no passwords stored in /etc/passwd,

awk -F: '($2 != "x") {print}' /etc/passwd

7.Verify no non-root accounts have UID 0

Verify there is only one password entry for UID 0, which is for the root account. Delete any additional entries that might be listed by running this command.

awk -F: '($3 == "0") {print}' /etc/passwd

8.Ensure user home directories are not group-writable or world-readable

Verify for each user account, the user's home directory is not SER of the system; verify the permissions of the user's home directory are neither group-writable nor world-readable. No user should ever have write permission to another user's home directory. Group shared directories can be configured in subdirectories or elsewhere in the filesystem if they are needed.

9.Ensure user dot-files are not world-writable

For each human user of the system, view the permissions of all dot-files in the user's home directory.

10.Ensure users have sensible umask values

Edit the global configuration files /etc/profile, /etc/bashrc, and /etc/csh.cshrc. Add or correct the line: umask 077

Edit the user definitions file /etc/login.defs. Add or correct the line: UMASK 077.

View the additional configuration files /etc/csh.login and /etc/profile.d/*, and ensure none of these files redefine the umask to a more permissive value unless there is a good reason for it.