Presentation is loading. Please wait.

Presentation is loading. Please wait.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security.

Similar presentations


Presentation on theme: "SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security."— Presentation transcript:

1 SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security

2 SUSE Linux Enterprise Server Administration (Course 3037)2 Objectives Describe Basic Linux User Security Features Manage Linux Users and Groups Manage and Secure the Linux User Environment

3 SUSE Linux Enterprise Server Administration (Course 3037)3 Objectives (continued) Secure Files and Directories with Permissions Configure User Authentication with PAM Implement and Monitor Enterprise Security Policies

4 SUSE Linux Enterprise Server Administration (Course 3037)4 Describe Basic Linux User Security Features Maintaining a secure environment includes –File System Security Components –Users and Groups –Ownership and Access Permissions

5 SUSE Linux Enterprise Server Administration (Course 3037)5 File System Security Components Types of components –Users –Groups –Ownerships –Permission

6 SUSE Linux Enterprise Server Administration (Course 3037)6 Users and Groups Users and Group ID numbers –user ID (UID) Assigned to each user –group ID (GID) Users are usually included in the group users –Command id Displays user’s UID and the groups she is assigned –Command groups Displays groups of which a user is a member –Command finger Displays additional information about local users

7 SUSE Linux Enterprise Server Administration (Course 3037)7 Users and Groups (continued) Regular vs. System users –Regular users Allow employees to log in to the Linux environment –System users Used by services, utilities, and other applications to run effectively on the server Public vs. Private group schemes –Private scheme User is assigned his own group that he can manage –Public scheme User is assigned to a general, public group

8 SUSE Linux Enterprise Server Administration (Course 3037)8 Users and Groups (continued) User accounts and home directories –Each user has a user account Identified by a login name and a personal password –Each user has her own directory In the directory /home/ Root account has its own home directory in /root/ User and group configuration files –/etc/passwd –/etc/shadow –/etc/group

9 SUSE Linux Enterprise Server Administration (Course 3037)9 Users and Groups (continued)

10 SUSE Linux Enterprise Server Administration (Course 3037)10 Users and Groups (continued) /etc/passwd –Stores information for each user /etc/shadow –Stores encrypted user passwords and password expiration information /etc/group –Stores group information

11 SUSE Linux Enterprise Server Administration (Course 3037)11 Users and Groups (continued)

12 SUSE Linux Enterprise Server Administration (Course 3037)12 Users and Groups (continued)

13 SUSE Linux Enterprise Server Administration (Course 3037)13 Users and Groups (continued)

14 SUSE Linux Enterprise Server Administration (Course 3037)14 Users and Groups (continued) How to check /etc/passwd and /etc/shadow –tail command Used to view the contents of both files at once –pwconv command Corrects discrepancies in both files –pwck command Similar to pwconv

15 SUSE Linux Enterprise Server Administration (Course 3037)15 Exercise 2-1 Check User and Group Information on Your Server In this exercise you will check the user and group information on your SLES 9 server

16 SUSE Linux Enterprise Server Administration (Course 3037)16 Ownership and Access Permissions Each file and directory is assigned access permissions Permissions determine level of access –For each user Permissions are assigned at 3 levels –Owner –Group –Other

17 SUSE Linux Enterprise Server Administration (Course 3037)17 Manage Linux Users and Groups Tasks include –Create and Edit User Accounts with YaST –Create and Edit Groups with YaST –Edit User Account Properties –Configure Account Password Settings –Manage User Accounts from the Command Line –Manage Groups from the Command Line –Create Text Login Messages

18 SUSE Linux Enterprise Server Administration (Course 3037)18 Create and Edit User Accounts with YaST Use Edit and Create Users module in YaST –To create, edit, and delete Linux user accounts Steps –Start YaST Edit and Create users module –Select Set Filter –Create a new user account or edit an existing one –Enter or edit information –Save settings –Configure your server with the new settings

19 SUSE Linux Enterprise Server Administration (Course 3037)19 Create and Edit User Accounts with YaST (continued)

20 SUSE Linux Enterprise Server Administration (Course 3037)20 Create and Edit User Accounts with YaST (continued)

21 SUSE Linux Enterprise Server Administration (Course 3037)21 Create and Edit Groups with YaST Use Edit and Create groups module in YaST –To create, edit, and delete Linux groups Steps –Start YaST Edit and Create groups module –Select Set Filter –Create a new group or edit an existing one –Enter or edit information –Return to the Group Administration dialog box –Configure your server with the new settings

22 SUSE Linux Enterprise Server Administration (Course 3037)22 Create and Edit Groups with YaST (continued)

23 SUSE Linux Enterprise Server Administration (Course 3037)23 Create and Edit Groups with YaST (continued)

24 SUSE Linux Enterprise Server Administration (Course 3037)24 Edit User Account Properties Use YaST –To edit user account properties Steps –Start YaST Edit and Create users module –Select the user account to modify –Edit user account properties –Enter or edit information –Continue by selecting Next –Save the configuration

25 SUSE Linux Enterprise Server Administration (Course 3037)25 Edit User Account Properties (continued)

26 SUSE Linux Enterprise Server Administration (Course 3037)26 Configure Account Password Settings Use YaST –To configure password settings Steps –Start YaST Edit and Create users module –Select the user account to modify –Select Password Settings –Enter or edit information –Save the configuration

27 SUSE Linux Enterprise Server Administration (Course 3037)27 Configure Account Password Settings (continued)

28 SUSE Linux Enterprise Server Administration (Course 3037)28 Manage User Accounts from the Command Line You must be logged as root user Commands –useradd Creates a new user account –userdel Deletes an existing user account –usermod Modifies settings for an existing account –passwd Changes a user’s password

29 SUSE Linux Enterprise Server Administration (Course 3037)29 Manage Groups from the Command Line You must be logged as root user Commands –groupadd Creates a new group –groupdel Deletes an existing group –groupmod Modifies settings for an existing group

30 SUSE Linux Enterprise Server Administration (Course 3037)30 Create Text Login Messages Text login messages –Useful for displaying information when a user logs in Files –/etc/issue Contains initial message for users logging into the system –/etc/motd Contains initial message of the day

31 SUSE Linux Enterprise Server Administration (Course 3037)31 Exercise 2-2 Create and Manage Users and Groups from the Command Line In this exercise you will set up your SLES 9 server with user accounts and groups –To help train the database administrators in your Digital Airlines office

32 SUSE Linux Enterprise Server Administration (Course 3037)32 Manage and Secure the Linux User Environment Tasks involved –Perform Administrative Tasks as root –Delegate Administrative Tasks with sudo –Set Defaults for New User Accounts –Configure Security Settings

33 SUSE Linux Enterprise Server Administration (Course 3037)33 Perform Administrative Tasks as root Switch to another user with su –Assume the UID of root or of other users –Syntax su [options]...[-] [user[argument]] –To change to the user root and execute a single command You can use the option -c Switch to another group with newgrp –Users can have only one effective group at a time –Commands newgrp or sg Change the effective group GID

34 SUSE Linux Enterprise Server Administration (Course 3037)34 Perform Administrative Tasks as root (continued) Start Programs as Another User from KDE –In KDE you can start any program with a different UID As long as you know the password

35 SUSE Linux Enterprise Server Administration (Course 3037)35 Perform Administrative Tasks as root (continued)

36 SUSE Linux Enterprise Server Administration (Course 3037)36 Delegate Administrative Tasks with sudo Command sudo –Enables a command to be run by a normal user File /etc/sudoers –Specifies which commands a user can or cannot enter –Modify it by using the command visudo –Lines 1 to 9 define aliases –Lines 14 to 17 show how aliases can be used in actual rules

37 SUSE Linux Enterprise Server Administration (Course 3037)37 Delegate Administrative Tasks with sudo (continued)

38 SUSE Linux Enterprise Server Administration (Course 3037)38 Set Defaults for New User Accounts Use YaST to select default settings –To be applied to new user accounts Enter or edit the following information –Default group –Secondary groups –Default Login shell –Default home –Skeleton directory –Default expiration date –Days after password expiration Login is usable

39 SUSE Linux Enterprise Server Administration (Course 3037)39 Set Defaults for New User Accounts (continued)

40 SUSE Linux Enterprise Server Administration (Course 3037)40 Configure Security Settings Preset security settings –Level 1 (Home Workstation) –Level 2 (Networked Workstation) –Level 3 (Network Server) You can also create your own configuration Password settings –Checking new passwords –Plausibility test for passwords –Password encryption method DES MD5 Blowfish

41 SUSE Linux Enterprise Server Administration (Course 3037)41 Configure Security Settings (continued)

42 SUSE Linux Enterprise Server Administration (Course 3037)42 Configure Security Settings (continued) Password settings –Number of significant characters in the password –Minimum acceptable password length –Days to password change warning –Days before password expires warning Boot settings –Interpretation of Ctrl + Alt + Del –Shutdown behavior of KDM

43 SUSE Linux Enterprise Server Administration (Course 3037)43 Configure Security Settings (continued)

44 SUSE Linux Enterprise Server Administration (Course 3037)44 Configure Security Settings (continued)

45 SUSE Linux Enterprise Server Administration (Course 3037)45 Configure Security Settings (continued) Login settings –Delay after incorrect login attempt –Record failed login attempts –Record successful login attempts –Allow remote graphical login Adding user settings –User ID limitations –Group ID limitations

46 SUSE Linux Enterprise Server Administration (Course 3037)46 Configure Security Settings (continued)

47 SUSE Linux Enterprise Server Administration (Course 3037)47 Configure Security Settings (continued)

48 SUSE Linux Enterprise Server Administration (Course 3037)48 Configure Security Settings (continued) Miscellaneous global settings –Setting of file permissions Easy Secure Paranoid –User launching updatedb –Current directory in root’s path –Current directory in the path of regular users –Enable magic SysRq keys

49 SUSE Linux Enterprise Server Administration (Course 3037)49 Configure Security Settings (continued)

50 SUSE Linux Enterprise Server Administration (Course 3037)50 Exercise 2-3 Configure the Password Security Settings In this exercise you will configure the password security settings

51 SUSE Linux Enterprise Server Administration (Course 3037)51 Secure Files and Directories with Permissions To set permissions for files and directories, you need to know the following: –Permissions and Permission Values –How to Set Permissions from the Command Line –How to Set Permissions from a GUI Interface –How to Modify Default Access Permissions –How to Configure Special File Permissions –How to Configure Additional File Attributes for ext2

52 SUSE Linux Enterprise Server Administration (Course 3037)52 Permissions and Permission Values Permissions to a file or directory –Read (r) –Write (w) –Execute (x) Use command ls –l –To display contents of current directory With assigned permissions for each file or subdirectory Use Detailed List View in Konqueror –To view permissions, owner, and group for each directory or file

53 SUSE Linux Enterprise Server Administration (Course 3037)53 Permissions and Permission Values (continued)

54 SUSE Linux Enterprise Server Administration (Course 3037)54 Permissions and Permission Values (continued)

55 SUSE Linux Enterprise Server Administration (Course 3037)55 How to Set Permissions from the Command Line chmod –Used to add, remove, or assign permissions assigned to a file or directory –Both the owner of a file and root can use this command –Can be used recursively –Supports letters rwx to indicate permissions You can also use groups of numbers

56 SUSE Linux Enterprise Server Administration (Course 3037)56 How to Set Permissions from the Command Line (continued)

57 SUSE Linux Enterprise Server Administration (Course 3037)57 How to Set Permissions from the Command Line (continued)

58 SUSE Linux Enterprise Server Administration (Course 3037)58 How to Set Permissions from the Command Line (continued)

59 SUSE Linux Enterprise Server Administration (Course 3037)59 How to Set Permissions from the Command Line (continued) chown and chgrp – Change the owner or group assigned to a file or directory –chown syntax chown new_user.new_group file chown new_user file chown.new_group file –chgrp syntax chgrp.new_group file

60 SUSE Linux Enterprise Server Administration (Course 3037)60 How to Set Permissions from a GUI Interface You can use Konqueror in KDE to change permissions Steps –Start Konqueror –Right-click the file or directory to modify Then select Properties –Select the Permissions tab –Modify permissions and ownership –Modify individual permissions (optional) –Save configuration

61 SUSE Linux Enterprise Server Administration (Course 3037)61 How to Set Permissions from a GUI Interface (continued)

62 SUSE Linux Enterprise Server Administration (Course 3037)62 How to Set Permissions from a GUI Interface (continued)

63 SUSE Linux Enterprise Server Administration (Course 3037)63 How to Modify Default Access Permissions Default settings –Files are created with access mode 666 –Directories are created with access mode 777 Command umask –Used to modify access mode settings Make the umask setting permanent –Change the value of umask in /etc/profile file

64 SUSE Linux Enterprise Server Administration (Course 3037)64 How to Modify Default Access Permissions (continued)

65 SUSE Linux Enterprise Server Administration (Course 3037)65 How to Modify Default Access Permissions (continued)

66 SUSE Linux Enterprise Server Administration (Course 3037)66 How to Configure Special File Permissions Sticky bit –Use chmod to modify it SUID or SGID attributes –Programs are carried out with privileges the owner or the group have

67 SUSE Linux Enterprise Server Administration (Course 3037)67 How to Configure Special File Permissions (continued)

68 SUSE Linux Enterprise Server Administration (Course 3037)68 How to Configure Additional File Attributes in ext2 Additional file permissions have been included in ext2 –And are also available in ext3 Command chattr –Used to set ext2 attributes Command lsattr –Used to display ext2 attributes

69 SUSE Linux Enterprise Server Administration (Course 3037)69 How to Configure Additional File Attributes in ext2 (continued)

70 SUSE Linux Enterprise Server Administration (Course 3037)70 How to Configure Additional File Attributes in ext2 (continued)

71 SUSE Linux Enterprise Server Administration (Course 3037)71 How to Configure Additional File Attributes in ext2 (continued)

72 SUSE Linux Enterprise Server Administration (Course 3037)72 Exercise 2-4 Set Permissions for Files and Directories from the Command Line In this exercise you will set permissions for files and directories –From the command line

73 SUSE Linux Enterprise Server Administration (Course 3037)73 Configure User Authentication with PAM PAM (Pluggable Authentication Modules) –Used by Linux in the authentication process As a layer that communicates between users and applications –Lets you configure and change authentication methods Between users and individual applications

74 SUSE Linux Enterprise Server Administration (Course 3037)74 Location and Purpose of PAM Configuration Files PAM provides a variety of modules Configuration files location –/etc/pam.d/program_name Global configuration files directory –/etc/security

75 SUSE Linux Enterprise Server Administration (Course 3037)75 Location and Purpose of PAM Configuration Files (continued)

76 SUSE Linux Enterprise Server Administration (Course 3037)76 PAM Configuration File Structure

77 SUSE Linux Enterprise Server Administration (Course 3037)77 PAM Configuration File Examples pam_securetty.so –Determines which terminal can be regarded as secure –User root can log in only at these terminals pam_nologin.so –Use this module to prevent users from logging into the system

78 SUSE Linux Enterprise Server Administration (Course 3037)78 PAM Documentation Resources PAM documentation is available in directory /usr/share/doc –READMEs –The Linux-PAM System Administrators’ Guide –The Linux-PAM Module Writers’ Manual –The Linux-PAM Application Developers’ Guide

79 SUSE Linux Enterprise Server Administration (Course 3037)79 Exercise 2-5 Configure PAM Authentication for Digital Airlines Employees In this exercise, you perform tests that prevent all normal users from logging in –To see how PAM is used by the system

80 SUSE Linux Enterprise Server Administration (Course 3037)80 Implement and Monitor Enterprise Security Policies Objectives –Guidelines for Implementing Security Policies –Security Rules and Tips –SuSE Security Information Resources –How to Monitor Login Activity

81 SUSE Linux Enterprise Server Administration (Course 3037)81 Guidelines for Implementing Security Policies Local security and user accounts –Main goal of local security Keep users separate from each other –Linux password encryption Password are stored encrypted Each time it is entered, it is encrypted again –Encrypted passwords are compared –Boot procedure protection Prevents system from booting using a floppy disk or CD –File permission configuration Always work with the most restrictive privileges possible for a given task

82 SUSE Linux Enterprise Server Administration (Course 3037)82 Guidelines for Implementing Security Policies (continued) Local security and user accounts (continued) –File permission configuration (continued) Special permission files in directory /etc/ –permissions –permissions.easy –permissions.secure –permissions.paranoid –Network security and local security Network security –Protects a network from an attack that is started outside Login procedure is still a local security issue

83 SUSE Linux Enterprise Server Administration (Course 3037)83 Security Rules and Tips Rules and tips –Use most restrictive set of permissions possible –Use encrypted connections for a remote machine –Avoid authentication based on IP addresses alone –Keep network-related packages up-to-date –Disable any network services you do not require –Verify the integrity of any SUSE RPM package –Check backups of user and system files regularly –Check your log files –Use SUSEfirewall –Design your security measures to be redundant

84 SUSE Linux Enterprise Server Administration (Course 3037)84 SUSE Security Information Resources Install updated packages –Recommended by security announcements SUSE security announcements –Published on a mailing list –You can subscribe by using the following link: www.suse.de/security Other resources –suse-securityannounce@suse.de list –suse-security@suse.de mailing list –bugtraq@securityfocus.com

85 SUSE Linux Enterprise Server Administration (Course 3037)85 How to Monitor Login Activity who command –Shows who is currently logged in to the system And information such as the time of the last login w command –Displays information about the users currently on the machine and their processes finger command –Displays information about local and remote system users

86 SUSE Linux Enterprise Server Administration (Course 3037)86 How to Monitor Login Activity (continued) last command –Displays a listing of the last logged-in users lastlog command –Formats and prints the contents of the last login log file (/var/log/lastlog) faillog –Formats and displays the contents of the failure log (/var/log/faillog) –Maintains failure counts and limits

87 SUSE Linux Enterprise Server Administration (Course 3037)87 Exercise 2-6 Change the Security Settings SUSE provides configuration files for locking down your system From a files perspective, there are three settings: easy, secure, and paranoid In this exercise, you change to the paranoid setting and observe the impact on the system

88 SUSE Linux Enterprise Server Administration (Course 3037)88 Summary Each user has a UID and a primary GID Linux systems store user information in /etc/passwd –And password information in /etc/shadow Group information is stored in the /etc/group file User and group commands –useradd, usermod, userdel –groupadd, groupmod, groupdel passwd command –Used to change user account passwords, lock user accounts, and control password expiry settings

89 SUSE Linux Enterprise Server Administration (Course 3037)89 Summary (continued) su and newgrp commands –Used to change current UID and GID sudo command –Grants rights to run certain commands as other users Security Settings module in YaST –Used to configure default security-related settings You can assign read, write, and execute permissions to files and directories chmod, chown, and chgrp commands –Used to change permissions on files and directories

90 SUSE Linux Enterprise Server Administration (Course 3037)90 Summary (continued) New files and directories receive default permissions chattr and lsattr commands –Change and list file attributes PAM provides an extra layer of security –Between applications and system files –Uses modules that determine access restrictions Security policies –Provide for standardized security within an organization


Download ppt "SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security."

Similar presentations


Ads by Google