Chapter 6: Manage Local Users and Groups

Hello everyone, and welcome back to my RH124 lab blog! In this post, I'll be sharing my experience of completing the lab exercises at the end of Chapter 6, 'Manage Local Users and Groups.' The lab consisted of 9 questions that required us to apply the knowledge gained in the chapter to manage local user and group accounts, set password policies, and grant superuser access using the sudo command. Throughout the lab, I learned valuable skills such as creating, modifying, and deleting user and group accounts, setting password policies, and managing user account lockouts. Join me as I share my insights on the lab questions and how I solved them step by step!

Question 1: From the workstation machine, open an SSH session to the serverb machine as the student user and switch to the root user.

Solution:

This required opening an SSH session from the workstation machine to the serverb machine as the student user and then switching to the root user. To achieve this, I used the 'ssh' command followed by the username and hostname of the remote server, which allowed me to log in to serverb securely while maintaining my ID as the student user. Once logged in, I used the 'sudo -i' command to switch to the root user and gain superuser access. This straightforward exercise highlighted the importance of secure shell access and the sudo command in managing a Linux system.

Question 2: On the serverb machine, ensure that newly created users must change their passwords every 30 days.

Solution:

This required that I ensure that newly created users on the serverb machine must change their passwords every 30 days. To achieve this, I edited the /etc/login.defs file on the serverb machine using the 'vim' command with administrative rights. In the file, I located the 'PASS_MAX_DAYS' parameter and set its value to 30, which specifies the maximum number of days a password is valid. By setting this parameter, I ensured that any new users created on the serverb machine would have to change their passwords every 30 days, which is an essential security measure in protecting the system against unauthorized access.

Question 3: Create the consultants group with a GID of 35000.
Solution:

To create a new group called 'consultants' with a Group ID (GID) of 35000, I used the 'groupadd' command followed by the '-g' option and the desired GID of 35000, and the name of the new group 'consultants'. This command allowed me to create the 'consultants' group and the ‘-g’ option let me specify a GID.

Question 4: Configure administrative rights to enable all consultants group members to execute any command as any user. Avoid using visudo to edit the /etc/sudoers file, instead, follow the best practice of placing the configuration file in the /etc/sudoers.d directory.

Solution:

To achieve this, I followed the best practice of placing the configuration file in the /etc/sudoers.d directory instead of editing the /etc/sudoers file directly. I used the 'vim' command to create a new file in the /etc/sudoers.d directory called 'consultants' and added the following line to it: '%consultants ALL=(ALL) ALL'. This configuration allows all members of the 'consultants' group to execute any command as any user with full administrative rights. By using the /etc/sudoers.d directory, I ensured that my configuration changes would not be overwritten by system updates or modifications to the main sudoers file, which is a best practice for managing system configurations on Linux.

Question 5: Create the consultant1, consultant2, and consultant3 users with the consultants group as their supplementary group.

Solution:

I used the 'useradd' command followed by the '-G' option and the name of the 'consultants' group, and the desired username for each user. Using the '-G' option let me specify that the 'consultants' group should be added as a supplementary group for each new user. By adding the 'consultants' group as a supplementary group for these users, I ensured that they would have access to any administrative commands allowed for the 'consultants' group as per our previous configuration changes.

Question 6: Set the consultant1, consultant2, and consultant3 passwords to redhat.

Solution:

Using the 'passwd' command followed by the username is how to change a user’s password. For example, to set the password for consultant1, I used the command 'passwd consultant1' and then entered the new password when prompted. I repeated this process for consultant2 and consultant3, ensuring that all users had the same password 'redhat'. By setting the same password for all users, I made it easier to manage and remember the passwords for these accounts."

Question 7: Set the consultant1, consultant2, and consultant3 accounts to expire in 90 days from the current day.

Solution:

To accomplish this, I used the 'date' command to determine the future date 90 days from today. I used the command 'date -d "+90 days" +%F' which returns the date 90 days from today in the YYYY-MM-DD format. Next, I used the 'chage' command to set the expiry date for each user account. I used the '-E' option followed by the future date determined earlier and the username of each user. For example, to set the expiry date for consultant1, I used the command 'chage -E 2023-07-10 consultant1'. I repeated this process for consultant2 and consultant3. By setting the expiry date for these user accounts, we ensured that they would not be able to log in after the specified date unless their accounts were renewed.

Question 8: Change the password policy for the consultant2 account to require a new password every 15 days.
Solution:

I used the 'chage' command with the '-M' option followed by the number of days. Specifically, I used the command 'chage -M 15 consultant2' which sets the maximum number of days between password changes to 15 for the 'consultant2' user account. By changing the password policy for this user account, we increased the security of the system by requiring the user to change their password more frequently.

Question 9: Additionally, force the consultant1, consultant2, and consultant3 users to change their passwords on the first login.

Solution:

For the final question, I was asked to force the consultant1, consultant2, and consultant3 users to change their passwords on the first login. To do this, we used the 'chage' command again, but this time with the '-d' option followed by 0. Specifically, I used the commands 'chage -d 0 consultant1', 'chage -d 0 consultant2', and 'chage -d 0 consultant3' to set the date of the last password change to the epoch (0), which forces the users to change their passwords on the next login. By forcing the users to change their passwords on the first login, we added an extra layer of security to the system by ensuring that the default passwords are not used beyond the initial login.

Conclusion

In this lab, I learned how to manage local users and groups on a Linux system. I practised a range of tasks such as switching to the superuser account, creating, modifying, and deleting local user accounts, creating and deleting local group accounts, setting a password management policy for users, and manually locking and unlocking user accounts. Additionally, I created a new group and configured administrative rights to allow members to execute any command as any user.

I encourage readers to share their own experiences in managing users and groups on a Linux system, ask questions about the lab, or suggest any additional tips they have found helpful in the comments section. Don't hesitate to join in the conversation!