www.bonsaiframework.com
Page tree

Versions Compared

Old Version 24

changes.mady.by.user Tin Pham

Saved on

compared with

New Version Current

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Outlined here are the minimal security steps the Bonsa Framework uses in server builds. Given that these account names are on the Internet you may want to change them. However, this may be greatly mitigated with RSA SSH key based authentication.

Allow staff Group to sudo

Rather then editing the /etc/sudoers using visudo, this approach ensures that system upgrades will not overwrite your changes. 

Download File Using tscripts

Download tscripts,

Code Block
languagebash
cd ~
wget http://www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo cp 01_enable_sudo_for_staff /etc/sudoers.d/
rm 01_enable_sudo_for_staff

 

Manual Method

If you want to create the file manually,

Code Block
languagebash
# Locks its and validates for syntax errors.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth

visudo launches your default editor to a special file. Add the following to the file,

Code Block
languagebash
# Members of the staff group may gain root privileges.
%staff ALL=(ALL) ALL

 

Going forward, make sure to use visudo to edit the 01_bonsai_disable_password_auth file to ensure proper permissions and locking,

Naming Convention

You may want to understand the naming convention used here if you want to build your own. Otherwise, the examples are self-explanatory and have not encountered any issues.

...

Also, the serveradmin account is limited in that it can not use sudo. If an attacker compromises the application, sudo is still out of reach.

Finally, in order to easily use Zero Footprint, create serveradmin consistently (same GID's and name) across all your systems.

Add the user and assign a password to that user,

...

Code Block
languagebash
sudo useradd -d /home/brian.hitch -m -g staff -u 2000 -c "Support Bryan Hitch" -s /bin/bash brian.hitch
sudo useradd -d /home/john.cassaday -m -g staff -u 2001 -c "Support John Cassaday" -s /bin/bash john.cassaday
sudo useradd -d /home/warren.ellis -m -g staff -u 2002 -c "Support Warren Ellis" -s /bin/bash warren.ellis

 

Expand
titleOptions:
-b, --base-dir BASE_DIR base directory for the home directory of the new account
-c, --comment COMMENT GECOS field of the new account
-d, --home-dir HOME_DIR home directory of the new account
-D, --defaults print or change default useradd configuration
-e, --expiredate EXPIRE_DATE expiration date of the new account
-f, --inactive INACTIVE password inactivity period of the new account
-g, --gid GROUP name or ID of the primary group of the new account
-G, --groups GROUPS list of supplementary groups of the new account
-h, --help display this help message and exit
-k, --skel SKEL_DIR use this alternative skeleton directory
-K, --key KEY=VALUE override /etc/login.defs defaults
-l, --no-log-init do not add the user to the lastlog and faillog databases
-m, --create-home create the user's home directory
-M, --no-create-home do not create the user's home directory
-N, --no-user-group do not create a group with the same name as the user
-o, --non-unique allow to create users with duplicate (non-unique) UID
-p, --password PASSWORD encrypted password of the new account
-r, --system create a system account
-R, --root CHROOT_DIR directory to chroot into
-s, --shell SHELL login shell of the new account
-u, --uid UID user ID of the new account
-U, --user-group create a group with the same name as the user
-Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping
--extrausers Use the extra users database 

Notice the -u which set's the user's GUIDs. We found it essential to standardize on the GUID of the accounts across all our systems consistently. Not doing so causes problems when it comes to cloning systems or moving programs across different environments. As a practice, we use the following GUID's ranges,

...

Additionally, we use the GUID range 4000-4999 for clients who would send in staff to work on the servers. Since the number of users with this kind of access should not be too large we can make the group blocks match the user blocks,

GroupUsers
4000

RedClient1 = 4000
RedClient2 = 4001
RedClient3 = 4002
RedClient5 = 4003

4010BlueClient1 = 4010
BlueClient2 = 4011
4020GreenClient1 = 4020
GreenClient2 = 4021
GreenClient3 = 4022

Next, we add to the Staff users the following groups,

...

Code Block
languagebash
sudo passwd brian.hitch
Enter new Unix password:
Reenter new Unix password:
passwd: password updated successfully
sudo passwd john.cassaday
sudo passwd warren.ellis

Allow staff Group to sudo

Rather then editing the /etc/sudoers using visudo, this approach ensures that system upgrades will not overwrite your changes. 

Download File Using tscripts

Download tscripts,

Code Block
languagebash
sudo su - root
cd /etc/sudoers.d/
sudo wget www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo chmod o-r /etc/sudoers.d/01_enable_sudo_for_staff
exit


Manual Method

If you want to create the file manually,

Code Block
languagebash
# Locks the file for single user access (important in a multi-user system) and validates for syntax errors.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth

visudo launches your default editor to a special file. Add the following to the file,

Code Block
languagebash
# Members of the staff group may gain root privileges.
%staff ALL=(ALL) ALL

 

Going forward, make sure to use visudo to edit the 01_bonsai_disable_password_auth file to ensure proper permissions and locking,


Warning

At this point it is important to log out and log in with your staff account to continue any new work. This will allow for a proper audit trail of the system from this point forward.

...

remotebackup - User to create remote backups. The assigned UID will be 3001.

 


Code Block
languagebash
sudo useradd -d /home/remotebackup -m -g backup -u 3001 -c "Remote Backup" -s /bin/bash remotebackup

Create regular Users

If you would like to add regular users without giving them sudo access then follow below instructions

Create regular group

Code Block
languagebash
sudo addgroup support

Create users and add them to group "support"

Code Block
languagebash
sudo useradd -d /home/tom.hitch -m -g support -u 2500 -c "Support Tom Hitch" -s /bin/bash tom.hitch
sudo useradd -d /home/rohan.cassaday -m -g support -u 2501 -c "Support Rohan Cassaday" -s /bin/bash rohan.cassaday
sudo useradd -d /home/dennis.ellis -m -g support -u 2502 -c "Support Dennis Ellis" -s /bin/bash dennis.ellis

Granting Non-staff User to use sudo with Certain Commands

...