OSP201 Open Source Platform and Network Administration

LAB 3
Hardening Security with User Account Management and Security Controls
Objective of LAB3:
 Configure a password policy by editing the /etc/login.defs file and
implementing
 stringent password security measures on a CentOS Linux Server
 Enforce a password change every 60 days showing a warning 14 days prior to
the password’s expiration across the system for all users
 Configure a minimum password length of eight characters with stringent
complexity requirements
 Create users and groups with the proper permissions and restrictions to enforce
role-based access controls
 Create a temporary user account that expires in 90 days to enforce the proper
principle of least privilege with contractors and temporary workers/consultants

A. Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your instructor:

 Lab Report file including screen captures of the following steps:

o Part 1, Step 6;
o Part 2, Step 3;
o Part 3, Step 3;
o Part 4: Step 6;
o Part 5: Step 4;
 Lab Assessments file.
 Optional: Challenge Questions file, if assigned by your instructor.

B. Hand-on Steps
I. Part 1: Establish System Password Controls
1. Open the CentOS virtual machine.
2. At the command prompt, type sudo vi /etc/login.defs and press Enter to load the grub
configuration file into the vi Editor.
3. Press the i key to enter the Insert mode.
4. Use the arrow keys to locate the Password aging controls section of the file.

Lab3 [email protected] Page 1 of 3

OSP201 Open Source Platform and Network Administration

5. Edit the password aging controls section to match the following definition:
 PASS_MAX_DAYS 60
 PASS_MIN_DAYS 0
 PASS_MIN_LEN 8
 PASS_WARN_AGE 14
6. Make a screen capture showing your changes in the vi Editor window and paste it into the Lab
Report File.

7. Press the Esc key to exit the Insert mode.

8. Type :x and press Enter to save your changes and exit the vi Editor.

II. Part 2: Create User Account

1. Using the useradd command to create some user account:
 dbadmin1
 dbadmin2
 webadmin1
 webadmin2
2. using the passwd to set the password for all users on above.
3. Type: tail /etc/passwd and capture full screen and paste into Lab Report file.

III. Part 3: Manage Security Group

1. Using groupadd command to create groups as below:
 dba
 web
2. using usermod command to add:
 user “dbadmin1” to group “dba”.
 user “dbadmin2” to group “dba”.
 user “webadmin1” to group “web”.
 user “webadmin2” to group “web”.
3. Type: groups webadmin2 and capture full screen and paste it into Lab Report file.

IV. Part 4: Manage temporary user account

1. Create a new user “jtemp” using adduser command.
2. Set password for user “jtemp” using passwd command.

Lab3 [email protected] Page 2 of 3

OSP201 Open Source Platform and Network Administration

3. Type: sudo chage –d 0 jtemp to force the jtemp user to change the password at the next login
attempt.
4. Type: sudo chage –E YYYY/MM/dd jtemp to force the jtemp user to change the password on the
required date.
5. Type: sudo chage --list jtemp to review the password settings for the jtemp user account.
6. Make a screen capture showing the output of the –list command and paste it into the Lab Report
file.

V. Part 5: Restrict Access

In the next steps, you will harden security measures on this server by restricting the
use of the su command which grants the user root level access. You will edit the
pam.d file to restrict the wheel group from using the su command

1. Type: sudo vi /etc/pam.d/su to edit the access for the su command in the PAM module file.
2. Press the i key to enter the Insert mode.
3. Use the arrow keys to locate the #auth required pam_wheel.so use_uid line in the editor.
4. Replace the hash tag (#) at the beginning of the line with an x so that the entire line now reads
xauth required pam_wheel.so use_uid.

5. Make a screen capture showing the edits from step 4 and paste it into the Lab Report file.

Lab3 [email protected] Page 3 of 3