Linux User Account Security Best Practices

Password Policies

Setting Up Strong Password Requirements

# Edit PAM configuration
sudo nano /etc/pam.d/common-password

# Add these parameters
password requisite pam_pwquality.so retry=3 minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1

Password Aging Configuration

# Edit login.defs
sudo nano /etc/login.defs

PASS_MAX_DAYS   90
PASS_MIN_DAYS   7
PASS_WARN_AGE   14

Sudo Configuration

Principle of Least Privilege

# Create specific sudo rules
sudo visudo -f /etc/sudoers.d/custom

# Example: Allow user to only restart specific services
username ALL=(ALL) /bin/systemctl restart nginx.service

User Account Auditing

Regular Audit Tasks

# List all users with login privileges
grep -v '/nologin\|/false' /etc/passwd

# Check for users with empty passwords
sudo awk -F: '($2 == "") {print}' /etc/shadow

# Review sudo privileges
sudo grep -v '^#' /etc/sudoers

Setting Up Audit Logging

# Install auditd
sudo apt install auditd

# Configure user monitoring
sudo nano /etc/audit/rules.d/user-monitoring.rules

-w /etc/passwd -p wa -k user-modify
-w /etc/group -p wa -k group-modify