Accounts security

News	Linux Security	Recommended Books	Recommended Links	Security issues	Tutorials	Man Pages	Reference	FAQ
Groups administration	Logs Security & Integrity	SUID and SGID files	RPM-based integrity checking	NFS Security	UID policy	Root Security	PAMs	Etc

Redundant accounts and groups need to be deleted.

Access Control

Chapter 3 Computer System Security and Access Controls

Practical UNIX & Internet Security, 2nd Edition Appendix A

Chapter 8: Defending Your Accounts

Make sure that every account has a password.
Make sure to change the password of every "default" account that came with your UNIX. system. If possible, disable accounts like uucp and daemon so that people cannot use them to log into your system.
Do not set up accounts that run single commands.
Instead of logging into the root account, log in to your own account and use su.
Do not create "default" or "guest" accounts for visitors.
If you need to set up an account that can run only a few commands, use the rsh restricted shell.
Think about creating restricted filesystem accounts for special-purpose commands or users.
Do not set up a single account that is shared by a group of people. Use the group ID mechanism instead.
Monitor the format and contents of the /etc/passwd file.
Put time/tty restrictions on login to accounts as appropriate.
Disable dormant accounts on your computer.
Disable the accounts of people on extended vacations.
Establish a system by which accounts are always created with a fixed expiration date and must be renewed to be kept active.
Do not declare network connections, modems, or public terminals as "secure" in the /etc/default/login or /etc/ttys files.
Be careful who you put in the wheel group, as these people can use the su command to become the superuser (if applicable).
If possible, set your systems to require the root password when rebooting in single-user mode.
If your system supports the TCB/trusted path mechanism, enable it.
If your system allows the use of a longer password than the standard crypt ( ) uses, enable it. Tell your users to use longer passwords.
Consider using some form of one-time password or token-based authentication, especially on accounts that may be used across a network link.
Consider using the Distributed Computing Environment (DCE) or Kerberos for any local network of single-user workstations, if your vendor software allows it.
Enable password constraints, if present in your software, to help prevent users from picking bad passwords. Otherwise, consider adding password screening or coaching software to assist your users in picking good passwords.
Consider cracking your own passwords periodically, but don't place much faith in results that show no passwords cracked.
If you have shadow password capability, enable it. If your software does not support a shadow password file, contact the vendor and request that such support be added.
If your system does not have a shadow password file, make sure that the file /etc/passwd cannot be read anonymously over the network via UUCP or TFTP.
If your computer supports password aging, set a lifetime between one and six months.
If you have source code for your operating system, you may wish to slightly alter the algorithm used by crypt ( ) to encrypt your password. For example, you can increase the number of encryption rounds from 25 to 200.
If you are using a central mail server or firewall, consider the benefits of account-name aliasing.

Chapter 9: Integrity Management

Web Security, Privacy & Commerce, 2nd Edition Chapter 8 The Web's War on Your Privacy