Message-ID: <7160251.493.1711713522552.JavaMail.serveradmin@t01app> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_492_27387844.1711713522549" ------=_Part_492_27387844.1711713522549 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html 1.4 Creating User Accounts

1.4 Creating User Accounts

=20 =20

Introduction

Outlined here are the minimal security steps the Bonsa Framework uses in= server builds. Given that these account names are on the Internet you may = want to change them. However, this may be greatly mitigated with RSA SSH key bas= ed authentication.

Naming Convention

You may want to un= derstand the naming convention used here if you want to build your own.= Otherwise, the examples are self-explanatory and have not encountered any = issues.

Create Ca= tch-All serveradmin user

The purpose of serveradmin is the catch-all place to setup things like s= cripts. It may also, depending on requirements for your organization be use= d to manually setup software like application servers.

Our user convention is firstName.lastName, however, we chose to user ser= veradmin rather than server.admin for fast typing as this and similar accou= nts are often used via sudo.

In a more security sensitive environment consider distinct accounts ie f= or running a manual setup of applications (ie tomcatadmin).

Also, the serveradmin account is limited in that it can not use sudo. If= an attacker compromises the application, sudo is still out of reach.

Finally, in order to easily use Zero Footprint, create serveradmin consistently (same= GID's and name) across all your systems.

Add the user and assign a password to that user,

=20
sudo ad=
dgroup --gid 3000 serveradmin
sudo useradd -d /home/serveradmin -m -g serveradmin -u 3000 -c "Admin catch=
-all" -s /bin/bash serveradmin
sudo passwd serveradmin
=20

Create Staff Users

We will also create staff users associated with the bui= lt in staff group so we know who is working on the machine. As a policy, ou= r team requires that unless absolutely necessary, staff log in as their own= account and then su to serveradmin or use sudo for maintenance work. That = way we can have a trail of who does what.

=20
sudo us=
eradd -d /home/brian.hitch -m -g staff -u 2000 -c "Support Bryan Hitch" -s =
/bin/bash brian.hitch
sudo useradd -d /home/john.cassaday -m -g staff -u 2001 -c "Support John Ca=
ssaday" -s /bin/bash john.cassaday
sudo useradd -d /home/warren.ellis -m -g staff -u 2002 -c "Support Warren E=
llis" -s /bin/bash warren.ellis
=20
Options:
-b, --base-dir BASE_DIR base directory for the home directory of the new ac= count
-c, --comment COMMENT GECOS field of the new account
-d, --home-dir HOME_DIR home directory of the new account
-D, --defaults print or change default useradd configuration
-e, --expiredate EXPIRE_DATE expiration date of the new account
-f, --inactive INACTIVE password inactivity period of the new account
-g, --gid GROUP name or ID of the primary group of the new account
-G, --groups GROUPS list of supplementary groups of the new account
-h, --help display this help message and exit
-k, --skel SKEL_DIR use this alternative skeleton directory
-K, --key KEY=3DVALUE override /etc/login.defs defaults
-l, --no-log-init do not add the user to the lastlog and faillog databa= ses
-m, --create-home create the user's home directory
-M, --no-create-home do not create the user's home directory
-N, --no-user-group do not create a group with the same name as the use= r
-o, --non-unique allow to create users with duplicate (non-unique) UID
-p, --password PASSWORD encrypted password of the new account
-r, --system create a system account
-R, --root CHROOT_DIR directory to chroot into
-s, --shell SHELL login shell of the new account
-u, --uid UID user ID of the new account
-U, --user-group create a group with the same name as the user
-Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user ma= pping
--extrausers Use the extra users database 

Notice the -u which set's the user's GUIDs. We found it essential to sta= ndardize on the GUID of the accounts across all our systems consistently. N= ot doing so causes problems when it comes to cloning systems or moving prog= rams across different environments. As a practice, we use the following GUI= D's ranges,

  • Staff 2000-2499
  • Guest Staff Users 2500-2999
  • Custom services 3000 - 3999

Additionally, we use the GUID range 4000-4999 for clients who would send= in staff to work on the servers. Since the number of users with this kind = of access should not be too large we can make the group blocks match the us= er blocks,

Group Users
4000

RedClient1 =3D 4000
RedClient2 =3D 400= 1
RedClient3 =3D 4002
RedClient5 =3D 4003

4010 BlueClient1 =3D 4010
BlueCl= ient2 =3D 4011
4020 GreenClient1 =3D 4020
Green= Client2 =3D 4021
GreenClient3 =3D 4022

Next, we add to the Staff users the following groups,

  • adm - so staff can view logs in apps setup without having to use the su= do command

Here is the command,

=20
sudo us=
ermod -a -G adm brian.hitch
sudo usermod -a -G adm john.cassaday
sudo usermod -a -G adm warren.ellis
=20

When adding an existing user to an existing group the user must log out = and log back in for changes to take effect.

The above step could have been done on user create. However, this illust= rates user modification as part of the tutorial.

Do not forget to set a passwords for the new accounts,

=20
sudo pa=
sswd brian.hitch
Enter new Unix password:
Reenter new Unix password:
passwd: password updated successfully
sudo passwd john.cassaday
sudo passwd warren.ellis
=20

Allow staff Gro= up to sudo

Rather then editing the /etc/sudoers using visudo, = this approach ensures that system upgrades will not overwrite your changes.=  

Download Fi= le Using tscripts

Download tscripts,

=20
sudo su=
 - root
cd /etc/sudoers.d/
sudo wget www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo chmod o-r /etc/sudoers.d/01_enable_sudo_for_staff
exit
=20


Manual Method

If you want to create the file manually,

=20
# Locks=
 the file for single user access (important in a multi-user system) and val=
idates for syntax errors.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth
=20

visudo launches your default editor to a special file. Add the following= to the file,

=20
# Membe=
rs of the staff group may gain root privileges.
%staff ALL=3D(ALL) ALL
=20

 

Going forward, make sure to use visudo to edi= t the 01_bonsai_disable_password_auth file to ensure proper permissions and= locking,


At this point it is important to log out and log in with your staff acco= unt to continue any new work. This will allow for a proper audit trail of t= he system from this point forward.

Create Auxiliary= Users

If you want to make this into a truly enterprise system we will also nee= d a few more users.

remotebackup - User to create remote backups. The assig= ned UID will be 3001.


=20
sudo us=
eradd -d /home/remotebackup -m -g backup -u 3001 -c "Remote Backup" -s /bin=
/bash remotebackup
=20

Create regular Use= rs

If you would like to add regular users without giving them sudo access t= hen follow below instructions

Create regular group

=20
sudo ad=
dgroup support
=20

Create users and add them to group "support"

=20
sudo us=
eradd -d /home/tom.hitch -m -g support -u 2500 -c "Support Tom Hitch" -s /b=
in/bash tom.hitch
sudo useradd -d /home/rohan.cassaday -m -g support -u 2501 -c "Support Roha=
n Cassaday" -s /bin/bash rohan.cassaday
sudo useradd -d /home/dennis.ellis -m -g support -u 2502 -c "Support Dennis=
 Ellis" -s /bin/bash dennis.ellis
=20

Granting Non-staff User to use su= do with Certain Commands

In some cases you might want a non-staff user (Roderick can we do = group too, it would be better) to certain commands. Usual scenarios are to = restart services that require root such as Apache (that would be a better e= xample here)

=20
sudo vi=
sudo
=20

Scroll to the bottom and enter the username in this case we use the name= bob and enter the commands you would like bob to be able to sudo with, in = this case we want bob to be able to create directories

=20
bob ALL=
=3D(root) /bin/mkdir
=20

Now test the command

=20
sudo mk=
dir bob
=20

Lets use the find command if you do not know what to add the error messa= ge tells you the path that needs to be added to the file as an example lets= display the find command error

=20
Sorry, =
user bob is not allowed to execute '/usr/bin/find something' as root on pro=
dserver
=20

Now that we have the command path just add that to bob in the visudo fil= e and test. For multiple commands separate with a comma

=20
bob ALL=
=3D(root) /bin/mkdir, /usr/bin/find
=20

To use sudo without being prompted for a password add NOPASSWD: 

=20
bob ALL=
=3D(root) NOPASSWD: /bin/mkdir, /usr/bin/find
=20

------=_Part_492_27387844.1711713522549 Content-Type: image/png Content-Transfer-Encoding: base64 Content-Location: file:///C:/0cfc8df5fc7667cb40f75cd9fda1d88e iVBORw0KGgoAAAANSUhEUgAAABAAAAAQBAMAAADt3eJSAAAAA3NCSVQICAjb4U/gAAAAFVBMVEX/ //9wcHBwcHBwcHBwcHBwcHBwcHA3RenHAAAAB3RSTlMAZoiZzN3/SzZomQAAAAlwSFlzAAALEgAA CxIB0t1+/AAAABx0RVh0U29mdHdhcmUAQWRvYmUgRmlyZXdvcmtzIENTNui8sowAAAAUdEVYdENy ZWF0aW9uIFRpbWUANi8xLzEzOKlF0AAAACFJREFUCJljYCATsCgwqIAZTMnMyRAhsTABCIMxkVxT GQCLcwHyUKXpLgAAAABJRU5ErkJggg== ------=_Part_492_27387844.1711713522549--