Single-User Mode Require Authentication

By default on Red Hat Linux, user can enter single user mode simply by typing “linux single” at the GRUB boot-editing menu. Some believe that this is left in to ease support of users with lost root passwords. In any case, it represents a clear security risk – authentication should always be required for root level access. It should be noted that it is extremely difficult to prevent compromise by any attacker who has knowledge, tools, and full physical access to a system. This kind of measure simply increases the difficulty of compromise by requiring more of each of these factors. These last two items have attempted to address concerns of physical/boot security. To make these preparations more complete, one should consider setting the BIOS to boot only from the main hard disk and locking this setting with a BIOS password.

To set authentication for Single user mode edit /etc/inittab and add following line below initdefault.

id:3:initdefault

~~:S:wait:/sbin/sulogin

This will restrict Single User mode without authentication.

How To Auto Logout User In Linux After Certain Minutes Of Idle

Almost everyone are forgetful and used to leave the Linux/Unix login session open without logging out.

So, how to make sure all the Linux servers will automatically logout users after idle for certain minutes?

In fact, the simplest way is to configure the TMOUT environment variable!

For example, this export command

export TMOUT=60

will immediately get the Linux OS to automatically logout a user after his/her login session being idle for 60 seconds or 1 minute!

The TMOUT environment variable is applied to a command line console login session only.

For X-window or GUI login, you can easily turn on any pretty auto-lock screen-saver, that works very much like those in Windows.

For testing purpose, you can set a lower limit. While login to Linux, su to another user ID and execute

export TMOUT=10

After being idle for 10 seconds, you’ll likely see this warning message appears and the su login session will be terminated or log out immediately.

timed out waiting for input: auto-logout

In order the apply TMOUT to all Linux login accounts, you can put that export command to the login scripts or login profile (.bash_profile or .profile) in respective user home directory.

But, the easiest way is to write the export command in the system profile instead of respective user’s profile!

That’s to say, you can append the export TMOUT=60 command to /etc/profile (i.e. the system profile)!

Bear in mind that any login user can simply overwrite this TMOUT setting!

For example, he or she can easily disable or extend the time-out value before auto-logout feature triggered. To disable the Linux auto-logout user feature, just set the TMOUT to zero, i.e.

export TMOUT=0

In addition, the Linux TMOUT environment variable will not effective if the user has an active or open document. For example, if the VI editor is open, the Linux auto-logout feature in command console will not working!

Security Policy – Allow normal user to su without password

All Unix and Linux system will ship with different default policies. Usually these policies don’t match the local policies, such as which users are allowed what kind of access to which resources and when. In addition security policies may require non-default authentication and/or logging.

A system administrator must examine the system’s configuration files and update them if necessary to enforce local policies. On modern systems PAM (Pluggable Authentication Modules) can be used to configure a wide range of security policies, including which databases to use to authenticate users, minimum password length, max login attempts, special permissions for console users (to various commands and devices), and many other policies.

wheel group policy

The wheel group enables you to define several system administrators and none of them need the root password. The group wheel was first used this way in Unix systems, but by using PAM any system can enable this handy feature. With proper PAM configuration any member of group wheel can become root by using the su command without supplying any password.

Exercies

1) Create a user who will work as a trusted users and assign password to that user.

#useradd master

#password master

2) Add this user in to wheel group’s member list.

#usermod -a -G wheel master

or

#usermod -G wheel master

3) Edit PAM configuration file for su that is /etc/pam.d/su and uncomment line

auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid

This will allow users in wheel group as a trusted users.

4) Now Login with user master and run command

#su -

By this master user can su to root without applying password.