Mastering Linux Security and Hardening
上QQ阅读APP看书,第一时间看更新

Locking user accounts

Okay, you've just seen how to have Linux automatically lock user accounts that are under attack. There will also be times when you'll want to be able to manually lock out user accounts. Let's look at a few examples:

  • When a user goes on vacation and you want to ensure that nobody monkeys around with that user's account while he or she is gone
  • When a user is under investigation for questionable activities
  • When a user leaves the company

With regard to the last point, you may be asking yourself, Why can't we just delete the accounts of people who are no longer working here? And, you certainly can, easily enough. However, before you do so, you'll need to check with your local laws to make sure that you don't get yourself into deep trouble. Here in the United States, for example, we have the Sarbanes-Oxley law, which restricts what files that publicly traded companies can delete from their computers. If you were to delete a user account, along with that user's home directory and mail spool, you just might be running afoul of Sarbanes-Oxley or whatever you may have as the equivalent law in your own home country.

Anyway, there are two utilities that you can use to temporarily lock a user account:

  • Using usermod to lock a user account
  • Using passwd to lock user accounts
In apparent contradiction to what I just said, at some point you will need to remove inactive user accounts. That's because malicious actors can use an inactive account to perform their dirty deeds, especially if that inactive account had any sort of administrative privileges. But when you do remove the accounts, make sure that you do so in accordance with local laws and with company policy. In fact, your best bet is to ensure that your organization has written guidelines for removing inactive user accounts in its change management procedures.