OSP201 Open Source Platform and Network Administration

LAB 3
Hardening Security with User Account Management and Security Controls
Objective of LAB3:
 Configure a password policy by editing the /etc/login.defs file and
implementing
 stringent password security measures on a CentOS Linux Server
 Enforce a password change every 60 days showing a warning 14 days prior to
the password’s expiration across the system for all users
 Configure a minimum password length of eight characters with stringent
complexity requirements
 Create users and groups with the proper permissions and restrictions to enforce
role-based access controls
 Create a temporary user account that expires in 90 days to enforce the proper
principle of least privilege with contractors and temporary workers/consultants

A. Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your instructor:
 Lab Report file including screen captures of the following steps:
o Part 1, Step 6;
o Part 2, Step 3;
o Part 3, Step 3;
o Part 4: Step 6;
o Part 5: Step 4;
 Lab Assessments file.
 Optional: Challenge Questions file, if assigned by your instructor.

B. Hand-on Steps
I. Part 1: Establish System Password Controls
1. Open the CentOS virtual machine.
2. At the command prompt, type sudo vi /etc/login.defs and press Enter to load the grub
configuration file into the vi Editor.
3. Press the i key to enter the Insert mode.
4. Use the arrow keys to locate the Password aging controls section of the file.

Lab3 [email protected] Page 1 of

OSP201 Open Source Platform and Network Administration

5. Edit the password aging controls section to match the following definition:
 PASS_MAX_DAYS 60
 PASS_MIN_DAYS 0
 PASS_MIN_LEN 8
 PASS_WARN_AGE 14
6. Make a screen capture showing your changes in the vi Editor window and paste it into the Lab
Report File.

7. Press the Esc key to exit the Insert mode.

8. Type :x and press Enter to save your changes and exit the vi Editor.

II. Part 2: Create User Account

1. Using the useradd command to create some user account:
 dbadmin1
 dbadmin2
 webadmin1
 webadmin2
2. using the passwd to set the password for all users on above.
3. Type: tail /etc/passwd and capture full screen and paste into Lab Report file.

III. Part 3: Manage Security Group

1. Using groupadd command to create groups as below:
 dba
 web
2. using usermod command to add:
 user “dbadmin1” to group “dba”.
 user “dbadmin2” to group “dba”.
 user “webadmin1” to group “web”.
 user “webadmin2” to group “web”.
3. Type: groups webadmin2 and capture full screen and paste it into Lab Report file.

IV. Part 4: Manage temporary user account

1. Create a new user “jtemp” using adduser command.
2. Set password for user “jtemp” using passwd command.

Lab3 [email protected] Page 2 of

OSP201 Open Source Platform and Network Administration

3. Type: sudo chage –d 0 jtemp to force the jtemp user to change the password at the next login
attempt.
4. Type: sudo chage –E YYYY/MM/dd jtemp to force the jtemp user to change the password on the
required date.
5. Type: sudo chage --list jtemp to review the password settings for the jtemp user account.
6. Make a screen capture showing the output of the –list command and paste it into the Lab Report
file.

V. Part 5: Restrict Access

In the next steps, you will harden security measures on this server by restricting
the use of the su command which grants the user root level access. You will edit
the pam.d file to restrict the wheel group from using the su command

1. Type: sudo vi /etc/pam.d/su to edit the access for the su command in the PAM module file.
2. Press the i key to enter the Insert mode.
3. Use the arrow keys to locate the #auth required pam_wheel.so use_uid line in the editor.
4. Replace the hash tag (#) at the beginning of the line with an x so that the entire line now reads
xauth required pam_wheel.so use_uid.

5. Make a screen capture showing the edits from step 4 and paste it into the Lab Report file.

VI. Lab Assessment Q&A

1) The new Web administrator’s account (webadmin1) has been set up and a password
provided to the user. What is the command to force the user to change the password upon
first login?
2) Given a scenario where there are five database administrators who may periodically need
access to a given system, discuss a concept to better manage these administrators’ access
permissions.
3) What is the purpose of the login.defs file? Explain the contents and configuration options.
Describe the password and account settings you would configure if you were told that a
few contractors needed accounts on the Linux system for the next 14 days.

Lab3 [email protected] Page 3 of