*Unix host build review
I wrote the following small script to check who are the users accessing their accounts using certificates
$cat certCheck.sh
echo "users using ssh certificates"
for i in $( ls /home ); do
#echo item: $i
y=/home/$i/.ssh
#echo $y
if [ -e "$y" ]; then
#echo "File found!"
#ls -la /home/$i/.ssh
echo $i
fi
done
Outcome:
# bash certCheck.sh
users using ssh certificates
user1
user3
user6
Now, you know these users use certificates, but their account with old password might still allow malicious users to login. To check if authentication via password is possible, you should check the presence of double esclamation marks in the /etc/shadow file
# grep user1 /etc/shadow
user1:!!$6$ciJaoDR9$Qpt9sctRLjbZ4/Agxy9UOvu/XQqNrFo9rpgfZ/xrF/8JphkEvF29ITpef0SVLdJcrpv8Q/.6mRAHee4tZT0r11:16299:0:99999:7:::
Double escalamation mark indicates accounts have been lock or password not set
# passwd -S user1
user1 LK 2014-08-17 0 99999 7 -1 (Password locked.)
# passwd -S user1
user1 PS 2014-08-17 0 99999 7 -1 (Password set, SHA512 crypt.)
You should make your customers aware of accounts using both password and certificates and make sure they review the list of users and their permissions regularly
The other checks you might want to do are the password policy for each user:
chage -l user
Check snmp config
/etc/snmpd.conf
Check FTP conf
https://linuxconfig.org/how-to-setup-and-use-ftp-server-in-ubuntu-linux
Resources:
http://www.golinuxhub.com/2014/08/how-to-check-lock-status-of-any-user.html
http://www.amazon.com/Linux-System-Security-Administrators-Source/dp/0130158070
http://www.tecmint.com/linux-server-hardening-security-tips/
$cat certCheck.sh
echo "users using ssh certificates"
for i in $( ls /home ); do
#echo item: $i
y=/home/$i/.ssh
#echo $y
if [ -e "$y" ]; then
#echo "File found!"
#ls -la /home/$i/.ssh
echo $i
fi
done
Outcome:
# bash certCheck.sh
users using ssh certificates
user1
user3
user6
Now, you know these users use certificates, but their account with old password might still allow malicious users to login. To check if authentication via password is possible, you should check the presence of double esclamation marks in the /etc/shadow file
# grep user1 /etc/shadow
user1:!!$6$ciJaoDR9$Qpt9sctRLjbZ4/Agxy9UOvu/XQqNrFo9rpgfZ/xrF/8JphkEvF29ITpef0SVLdJcrpv8Q/.6mRAHee4tZT0r11:16299:0:99999:7:::
Double escalamation mark indicates accounts have been lock or password not set
# passwd -S user1
user1 LK 2014-08-17 0 99999 7 -1 (Password locked.)
# passwd -S user1
user1 PS 2014-08-17 0 99999 7 -1 (Password set, SHA512 crypt.)
You should make your customers aware of accounts using both password and certificates and make sure they review the list of users and their permissions regularly
The other checks you might want to do are the password policy for each user:
chage -l user
Check snmp config
/etc/snmpd.conf
Check FTP conf
https://linuxconfig.org/how-to-setup-and-use-ftp-server-in-ubuntu-linux
Resources:
http://www.golinuxhub.com/2014/08/how-to-check-lock-status-of-any-user.html
http://www.amazon.com/Linux-System-Security-Administrators-Source/dp/0130158070
http://www.tecmint.com/linux-server-hardening-security-tips/