Introduction
Outlined here are the minimal security steps the Bonsa Framework uses in server builds. Given that these account names are on the Internet you may want to change them. However, this may be greatly mitigated with RSA SSH key based authentication.
Allow staff Group to sudo
Use account names associated with a user. For this example, I will be designating adminstrative users under the staff group. To see the list of groups available to you use the command, cat /etc/group.
These steps are assuming that you are logged in with the initial Ubuntu user which as sudo access. If you are using root instead, then you do not need to prefix any command with sudo.
The staff group by default does not normally have sudo access. To grant sudo access to the staff group,
sudo visudo
visudo launches your default editor to a special file. Add the following to the bottom of the file,
# Members of the staff group may gain root privileges %staff ALL=(ALL) ALL
Create Catch-All serveradmin user
The purpose of serveradmin is the catch-all place to setup things like scripts. It may also, depending on requirements for your organization be used to manually setup software like application servers.
Further along these lines, in a more security sensitive environment rather than just one serveradmin, we could setup distinct accounts for running a manual setup of tomcat, manual setup of postgressql etc.
Also, the serveradmin account is limited in that it can not use sudo. If an attacker compromises the application, sudo is still out of reach.
Add the user and assign a password to that user,
sudo addgroup --gid 3000 serveradmin sudo useradd -d /home/serveradmin -m -g serveradmin -u 3000 -c "Admin catch-all" -s /bin/bash serveradmin sudo passwd serveradmin
Create Staff Users
We will also create staff users associated with the built in staff group so we know who is working on the machine. As a policy, our team requires that unless absolutely necessary, staff log in as their own account and then su to serveradmin or use sudo for maintenance work. That way we can have a trail of who does what.
sudo useradd -d /home/bhitch -m -g staff -u 2000 -c "Support Bryan Hitch" -s /bin/bash bhitch sudo useradd -d /home/jcassaday -m -g staff -u 2001 -c "Support John Cassaday" -s /bin/bash jcassaday sudo useradd -d /home/wellis -m -g staff -u 2002 -c "Support Warren Ellis" -s /bin/bash wellis
When adding an existing user to an existing group the user must log out and log back in for changes to take effect.
Notice the -u which set's the user's GUIDs. We found it essential to standardize on the GUID of the accounts across all our systems consistently. Not doing so causes problems when it comes to cloning systems or moving programs across different environments. As a practice, we use the following GUID's ranges,
- Staff 2000-2499
- Guest Staff Users 2500-2999
Custom services 3000 - 3999
Additionally, we use the GUID range 4000-4999 for clients who would send in staff to work on the servers. Since the number of users with this kind of access should not be too large we can make the group blocks match the user blocks,
Group | Users |
---|---|
4000 | RedClient1 = 4000 |
4010 | BlueClient1 = 4010 BlueClient2 = 4011 |
4020 | GreenClient1 = 4020 GreenClient2 = 4021 GreenClient3 = 4022 |
Next, we add to the Staff users the following groups,
- adm - so staff can view logs in apps setup without having to use the sudo command
Here is the command,
sudo usermod -a -G adm bhitch sudo usermod -a -G adm jcassaday sudo usermod -a -G adm wellis
The above step could have been done on user create. However, this illustrates user modification as part of the tutorial.
Do not forget to set a passwords for the new accounts,
sudo passwd bhitch Enter new Unix password: Reenter new Unix password: passwd: password updated successfully sudo passwd jcassaday sudo passwd wellis
At this point it is important to log out and log in with your staff account to continue any new work. This will allow for a proper audit trail of the system from this point forward.
Create Auxiliary Users
If you want to make this into a truly enterprise system we will also need a few more users.
remotebackup - User to create remote backups. The assigned UID will be 3001.
sudo useradd -d /home/remotebackup -m -g backup -u 3001 -c "Remote Backup" -s /bin/bash remotebackup