locking linux services account

0

Ive been asked to harden my linux clients by disabling the login shell to unwanted services. For example the services below were configured by default with bash shell in SLES12 SP2 installation. Im not sure about the impact if I will do this changes on the system.

Is it safe to reconfigure them with something like /sbin/nologin or /bin/false ?

is it safe to leave the system as is as long as it have the locking password status ? ( * , ! , !! )

  • I've added the users password status and dependencies as i far as i know.

list all users that has shell - /etc/passwd :

cat /etc/passwd | egrep -v '/sbin/nologin|/bin/false|^root'

at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash

list password status: /etc/shadow

for user in $(cat /etc/passwd | egrep -v '/bin/false|/sbin/nologin|^root' |cut -d: -f1) ; do grep $user /etc/shadow; done

at:!:17115::::::
statd:!:17115::::::
bin:*:17105::::::
daemon:*:17105::::::
ftp:*:17105::::::
ftpsecure:!:17115::::::
games:*:17105::::::
lp:*:17105::::::
openslp:!:17105::::::
man:*:17105::::::
news:*:17105::::::
nobody:*:17105::::::
uucp:*:17105::::::

list users dependencies: /etc/group

for user in $(cat /etc/passwd | egrep -v '/bin/false|/sbin/nologin|^root' |cut -d: -f1) ; do grep $user /etc/group; done

at:x:25:
bin:x:1:daemon
winbind:x:483:
bin:x:1:daemon
daemon:x:2:
ftp:x:49:
games:x:40:
lp:x:7:
man:x:62:
news:x:13:
nobody:x:65533:
nogroup:x:65534:nobody
uucp:x:14:

Asaf Magen

Posted 2017-01-08T09:13:25.527

Reputation: 113

Answers

0

My opinion is, if the user exists on the system maybe it has some use. So rather than blindly change shells I'd verify which service(s) rely on a specific user and if the user plays some actual role on the system.

If you look at your /etc/shadow file (I'm assuming you are using shadow password) you might notice that most of those account are disabled (password field set to '0' for example).

For those who are actually enabled, I'd either remove the service if I don't need it on the server (i.e.: ftp) or disable the user completely. You can refer to this question for more information on how to disable an user account correctly.

Alessandro Dotti Contra

Posted 2017-01-08T09:13:25.527

Reputation: 434

ive updated my question with some more info. so can i leave the system uncouth now that i know all services are actually lock. is it safe? – Asaf Magen – 2017-01-08T15:30:20.037

Users wise it should be safe. But since your system is connected to some kind of network, I would check all the services it exposed to the network and disable the ones I don't need. Some good tutorial about system hardening may be of use. – Alessandro Dotti Contra – 2017-01-09T14:37:11.987

Asked: 2017-01-08T09:13:25.527

Viewed: 580 times

Active: 2017-01-09T14:29:39.947