*Unix host build review

I wrote the following small script to check who are the users accessing their accounts using certificates

$cat certCheck.sh

echo "users using ssh certificates"

for i in $( ls /home ); do
        #echo item: $i
        y=/home/$i/.ssh
        #echo $y
        if [ -e "$y" ]; then
                #echo "File found!"
                #ls -la /home/$i/.ssh
                echo $i
        fi

done

Outcome:

 # bash certCheck.sh
users using ssh certificates
user1
user3
user6

Now, you know these users use certificates, but their account with old password might still allow malicious users to login. To check if authentication via password is possible, you should check the presence of double esclamation marks in the /etc/shadow file

# grep user1 /etc/shadow 
user1:!!$6$ciJaoDR9$Qpt9sctRLjbZ4/Agxy9UOvu/XQqNrFo9rpgfZ/xrF/8JphkEvF29ITpef0SVLdJcrpv8Q/.6mRAHee4tZT0r11:16299:0:99999:7:::

Double escalamation mark indicates accounts have been lock or password not set

# passwd -S user1
user1 LK 2014-08-17 0 99999 7 -1 (
Password locked.)

# passwd -S user1
user1 PS 2014-08-17 0 99999 7 -1 (Password set, SHA512 crypt.)



You should make your customers aware of accounts using both password and certificates and make sure they review the list of users and their permissions regularly


The other checks you might want to do are the password policy for each user:

chage -l user

Check snmp config
/etc/snmpd.conf

Check FTP conf
https://linuxconfig.org/how-to-setup-and-use-ftp-server-in-ubuntu-linux

Resources:
http://www.golinuxhub.com/2014/08/how-to-check-lock-status-of-any-user.html
http://www.amazon.com/Linux-System-Security-Administrators-Source/dp/0130158070
http://www.tecmint.com/linux-server-hardening-security-tips/