Auditing Weak User Accounts On UNIX System

Whenever we talk about auditing weak user accounts on UNIX or UNIX like systems the very first thought that comes to mind is using John The Ripper or L0phtCrack to audit weak passwords.
This is very big misconception among most of the people that weak user accounts only means accounts with weak passwords.
A normal user account isn't that normal if you haven't edited any of the permissions for it. So lets see how many abnormal tasks a normal user can perform if his account is not properly audited. Lets start with creation of user account.
Usually we type following command to create a normal user in UNIX or UNIX like systems.

[root@localhost~]#useradd newuser
[root@localhost~]#passwd newuser

Now what's the problem with this user creation method.

Problem number 1: This user is not member of any group.
Problem number 2: This user will have his own folder in /home directory.

If a user is in shared network environment then it is mandatory that user must be a member of some group and he/she must not have primary group of his own. By creating user by abovemethod you have given him two powers, power to own his own group and next power of having a separate folder. Here's how you should add a user to avoid above problems.

[root@localhost~]# useradd -d /home/group_name -g group_name newuser
[root@localhost~]#passwd newuser

-d: will set default folder for user to /home/group_name
-g: will add user to group_name as primary group member

Now what might be the scope of the user we created about using and accessing disk space and memory? The answer is unlimited. That means newuser can create as many files and folders he/she wants ultimately covering up all disk-space or alternatively he/she can write or run a program that consumes lot of memory, that means if he writes and executes a programwhich recursively increases its stack or just able to smash its own stack then a normal user can make complete system to crash down and stand still.
And his rights to access any folder can help him hide a script or program that he/she can use to escalate privileges later to become super user without anyone noticing it.

Above problems can be solved by activating disk quota on system. According to the UNIX or Linux system you are using refer its manual to see how to activate disk quota. Once activated you can set disk quota by typing following commands,

[root@localhost~]#set quota -u newuser abc / 8000 10000 400 500

The above command will set 10000 bytes for newuser in ' / ' partition and he/she will be warned if his/her disk usage goes above 8000 bytes. At maximum he/she can create 500 fileswith warning on 400th file. You can replace ' / ' with directory name where you want to restrict the user.
The next problem is how to restrict user's power to use unlimited memory access? To set restrictions open “/etc/security/limits.conf” file in VI editor or any familiar editor to you. The syntax of file is quite explanatory and will differ according to the version and base kernel of your system.

Last thing that is problematic is life of account. To check it out type following command,

[root@localhost~]#chage -l newuser

Now have a look on output you'll find account expires never, password expires never, days to change password 99999. Believe it or not this is default user account setting in every UNIX and Linux system. If you are smart enough then you can easily figure out how fatal this kind of account can prove to your system if this information is not changed. To change account permissions type

[root@localhost~]change newuser


and set permissions.

There are several steps involved in auditing a UNIX or UNIX like system depending for what system is configured but auditing weak user accounts for their permissions and passwords is common task in all no matter what your motive is. I know an experienced UNIX administrator will find this article is of little help whereas new administrators will find it useful. Anyways I hope RHA readers like this post, thanks for reading, happy hacking.