LAB3

“Hardening Security with User Account

Management and Security Controls”
1. What is the purpose of hardening security in user account management?

The purpose of hardening security in user account management is to protect sensitive data,
prevent unauthorized access, and maintain the integrity and availability of systems and
information. This involves implementing various measures to secure user accounts from
potential threats and vulnerabilities.

2. Which command can you use to create a new user account in Linux?

The basic syntax for creating a new user is:

sudo useradd [options] username

Here is a basic example to create a new user account named newuser:sudo useradd
newuser

However, the useradd command with just the username might not be sufficient for
creating a fully functional user account because it does not create the user's home
directory or set a password. A more comprehensive approach involves using additional
options:

Create Home Directory:To create the user's home directory, use the -m option:

sudo useradd -m newuser

Specify User's Shell:

To set the default shell for the user, use the -s option followed by the path to the shell:

sudo useradd -m -s /bin/bash newuser

Set User's Password:

After creating the user, you can set the password using the passwd command:

sudo passwd newuser

Specify User's Home Directory:

If you want to specify a custom home directory, use the -d option:

sudo useradd -m -d /custom/home/directory newuser

Add User to a Group:

To add the user to a specific group, use the -G option followed by the group name(s):

sudo useradd -m -G groupname newuser

For example, to create a new user named newuser with a home directory, set the default
shell to /bin/bash, and add them to the developers group, you would use:

sudo useradd -m -s /bin/bash -G developers newuser

After running this command, you would then set the user's password:

sudo passwd newuser

3. How do you set a password for a user account using the command line?

To set a password for a user account using the command line in Linux, you can use the
passwd command. The basic syntax for setting a password is:

sudo passwd username

Here’s a step-by-step example of how to set a password for a user account named
newuser:

Open a terminal.

Type the following command to set or change the password for newuser:

sudo passwd newuser

You will be prompted to enter the new password for the user:

Enter new UNIX password:

Enter the new password and press Enter. You will be prompted to retype the password to
confirm:

Retype new UNIX password:

Enter the new password again and press Enter. If both entries match, you will see a
message indicating that the password was updated successfully:

passwd: password updated successfully

4. Explain the difference between the useradd and adduser commands.

adduser provides guides through the user creation process in an interactive prompt.
Therefore, the adduser command is a beginner-friendly way to add a new user. The
useradd command provides complete control over the user creation process. With
additional options, useradd achieves the same tasks as adduser

5. What is the significance of the /etc/passwd file in user account management?

Traditionally, the /etc/passwd file is used to keep track of every registered user that has
access to a system. The /etc/passwd file is a colon-separated file that contains the
following information: User name. Encrypted password.

6. How can you lock a user account to prevent login?

To lock a user account in Linux and prevent the user from logging in, you can use the
passwd command with the -l option. The basic syntax is:

sudo passwd -l username

7. Which command allows you to modify user account properties, such as the home
directory or shell?

The 'usermod' command is a powerful utility in Linux used to modify user accounts. It is
used with the basic syntax, usermod [options] username . You can use it to change
various user attributes like user's home directory, login name, and even password expiry
date.

8. Describe the purpose of the passwd command.

The passwd command changes passwords for user accounts. A normal user may only
change the password for their own account, while the superuser may change the password
for any account. passwd also changes the account or associated password validity period

9. How do you change the password expiration policy for a user account?

To change the password expiration policy for a user account in Linux, you can use the
chage command. This command allows you to configure various password expiration
settings for a user. Here’s how you can use it:

View Current Password Expiration Settings

First, you can view the current password expiration settings for a user account by using
the following command:

sudo chage -l username

Change Password Expiration Settings

To change the password expiration policy, you can use various options with the chage
command. Here are some common options:

-m MIN_DAYS: Minimum number of days between password changes.

-M MAX_DAYS: Maximum number of days the password is valid.

-W WARN_DAYS: Number of days before password expires to warn the user.

-I INACTIVE_DAYS: Number of days after password expires before the account is

locked.

-E EXPIRE_DATE: Set the account expiration date (in the format YYYY-MM-DD).

10. What is the purpose of the chage command?

The chage command in Linux is used to view and modify user password expiration
information. Its primary purpose is to manage password aging policies, allowing
administrators to enforce password changes and account expirations, which enhances
system security.

11. Explain the concept of “least privilege” in user account management.

Least privilege is the concept and practice of restricting access rights for users,
accounts, and computing processes to only those resources absolutely required
to perform legitimate functions. Privilege itself refers to the authorization to
bypass certain security restraints

12. How can you disable a user account temporarily?

Lock the User Account with passwd:

The passwd command with the -l (lock) option adds an exclamation mark (!) to the
beginning of the user's encrypted password in the /etc/shadow file, effectively preventing
the user from logging in.

sudo passwd -l username

To re-enable the account, use the -u (unlock) option:

sudo passwd -u username

Use the usermod Command:

The usermod command with the -L option also locks the user account by adding an
exclamation mark (!) to the password.
sudo usermod -L username

To unlock the account, use the -U option:

sudo usermod -U username

Set an Expiration Date in the Past:

Using the chage command, you can set the account expiration date to a date in the past,
which disables the account.

sudo chage -E 2022-01-01 username

To remove the expiration date and re-enable the account:

sudo chage -E -1 username

Change the User's Shell to /sbin/nologin or /bin/false:

By changing the user's shell to /sbin/nologin (on most Linux distributions) or /bin/false,
you prevent the user from logging into the system.

sudo usermod -s /sbin/nologin username

To revert to the default shell (usually /bin/bash):

sudo usermod -s /bin/bash username

13. Which command allows you to delete a user account?

To delete a user account in a Linux system, you can use the userdel command. This
command allows administrators to remove user accounts from the system. Here is how to
use it:

Basic Account Deletion:

The simplest form of the command deletes the user account but leaves the user's home
directory and files intact.

sudo userdel username

Delete User Account and Home Directory:

To delete the user account along with the user's home directory and mail spool, use the -r
option.

sudo userdel -r username

14. What is the difference between disabling and deleting a user account?
One an account is “deleted”, if it is not used again in the next 14 days, it is a closed
account. Then it can't be opened or operated. Yet, it remains open in Quora for all to see.
Contents are not deleted.

By singing out of an account “deactivates” it temporarily, until it is operated again by

signing into it anytime in future. There may be a CAPTCHA formality. Account remains
intact.

15. How do you list all currently logged-in users?

16. Describe the purpose of the su command.

The su command in Linux lets you switch to another user's account or execute
commands as a different user. It's useful for administrative tasks that require
elevated privileges. su is also used to test commands with different user
permissions to ensure the system requires authentication for user switches

17. What is the default shell for a new user account in Linux?

The default shell for a new user account in most Linux distributions is typically /bin/bash.

However, it's worth noting that some distributions might have different default shells
configured. For example:

On Debian-based systems (e.g., Debian, Ubuntu), the default shell for new users is often
/bin/bash.

On Red Hat-based systems (e.g., CentOS, Fedora), the default shell for new users is also
commonly /bin/bash.

On some systems, /bin/sh might be symlinked to another shell like dash or bash, so
/bin/sh behaves like that shell.

To check the default shell for new users on your specific Linux distribution, you can
usually find this information in the system's configuration files, such as
/etc/default/useradd or /etc/login.defs. Additionally, the getent command can be used to
retrieve this information:

getent passwd | grep '^.*:.*:.*:.*:.*:/bin/bash$'

This command searches for users whose default shell is set to /bin/bash. You can replace
/bin/bash with the default shell you want to check.

18. How can you enforce password complexity rules for user accounts?

Enforcing password complexity rules for user accounts is essential for enhancing system
security. In Linux systems, you can achieve this by configuring the password policy using
the Pluggable Authentication Modules (PAM) framework and tools like passwd and
chage.
1. Using PAM (Pluggable Authentication Modules):

PAM provides a flexible way to enforce password complexity rules by configuring

modules. Here's how to do it:

Edit the /etc/pam.d/common-password file using a text editor.

Add or modify the pam_unix.so line to include the minlen, ucredit, lcredit, dcredit, and
ocredit options to specify password complexity requirements.

2. Using passwd:

The passwd command allows you to set or change a user's password and enforce
complexity rules using the -r option. However, this method might vary depending on your
Linux distribution.

3. Using chage:

The chage command can enforce password aging policies, including minimum password
age, maximum password age, and password history. While it doesn't directly enforce
complexity rules, it can complement other methods.

4. Using /etc/login.defs:

You can also enforce global password policies by modifying the /etc/login.defs file. This
file contains various settings related to user authentication, including password-related
configurations.

19. Explain the significance of the /etc/shadow file.

The /etc/shadow is a text-based password file. The shadow file stores the hashed
passphrase (or “hash”) format for Linux user account with additional properties
related to the user password. This shadow file is directly accessible only to the
root user

20. Which command can you use to change the group membership of a user account?

To change the group membership of a user account in Linux, you can use the usermod
command. This command is used for modifying user account attributes, including group
membership. Here's how you can use it to change the group membership of a user
account:

sudo usermod -g new_group username

Explanation of options:

-g new_group: Specifies the new primary group for the user account.

username: The username of the user account whose group membership you want to
change.