Linux User Account Security Best Practices

April 17, 2024

linux security user-management

Disclaimer: The examples, configurations, and code snippets provided in this article are for educational purposes only. While we strive for accuracy, there is no guarantee these will work in your specific environment. Always test configurations in a safe environment first and adapt them to your specific needs and security requirements.

Password Policies

Setting Up Strong Password Requirements

# Edit PAM configuration
sudo nano /etc/pam.d/common-password

# Add these parameters
password requisite pam_pwquality.so retry=3 minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1

Password Aging Configuration

# Edit login.defs
sudo nano /etc/login.defs

PASS_MAX_DAYS   90
PASS_MIN_DAYS   7
PASS_WARN_AGE   14

Sudo Configuration

Principle of Least Privilege

# Create specific sudo rules
sudo visudo -f /etc/sudoers.d/custom

# Example: Allow user to only restart specific services
username ALL=(ALL) /bin/systemctl restart nginx.service

User Account Auditing

Regular Audit Tasks

# List all users with login privileges
grep -v '/nologin\|/false' /etc/passwd

# Check for users with empty passwords
sudo awk -F: '($2 == "") {print}' /etc/shadow

# Review sudo privileges
sudo grep -v '^#' /etc/sudoers

Setting Up Audit Logging

# Install auditd
sudo apt install auditd

# Configure user monitoring
sudo nano /etc/audit/rules.d/user-monitoring.rules

-w /etc/passwd -p wa -k user-modify
-w /etc/group -p wa -k group-modify