-
Book Overview & Buying
-
Table Of Contents
Oracle 11g Anti-hacker's Cookbook
By :
On critical systems it is usually considered a bad practice to allow direct remote logins to system users, such as root or other application owners, and shared users, such as oracle. As a method for better control and from the user audit point of view, it is recommended to create different login users that will be allowed to connect and perform switches (su) to users considered critical. No other users should be exposed to the external world to allow direct, remote, or local connections.
In this recipe, we will create a group log and a user named loguser1, and we will disable direct logins for all others.
All steps will be performed on nodeorcl1.
[root@nodeorcl1 ~]# groupadd logingrp
logingrp group as follows:[root@nodeorcl1 ~]# useradd -g logingrp loginuser1
/etc/pam.d/system-auth:account required pam_access.so
/etc/security/access.conf::ALL EXCEPT logingrp :ALL
logingrp group will be denied. If we try to connect from nodeorcl5 the connection will be closed:[loguser1@nodeorcl5 ~]$ ssh -l oracle nodeorcl1 oracle@nodeorcl1's password: Connection closed by 10.241.132.218 [loguser1@nodeorcl5 ~]$
loginuser1:[loguser1@nodeorcl5 ~]$ ssh -l loginuser1 nodeorcl1 loguser1@nodeorcl1's password: [loguser1@nodeorcl1 ~]$
su capabilities for all users exempting loginuser1, open /etc/pam.d/su and uncomment the following line as instructed in the file:# Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid
wheel group are not allowed to switch to an other user. Add loginuser1 to the wheel group as follows. In this way the only user that may execute su command will be loginuser1:[root@nodeorcl1 etc]# usermod -G wheel loginuser1
su command with the oracle user, you will get incorrect password message, and the switch cannot be performed:[oracle@nodeorcl1 ~]$ su - Password: su: incorrect password [oracle@nodeorcl1 ~]$
loguser1 it succeeds:[loguser1@nodeorcl1 ~]$ su - Password: [root@nodeorcl1 ~]#
The PAM module that performs the login check is pam_access.so, with the control flag set to required and the module type account. The control of su command is performed by the pam_wheel.so module.
At this moment all users who do not belong to the group logusers are not allowed to log in locally or remotely. The only exemption is root login using ssh. We will see how to deny remote root logins with ssh in the following recipe, Securing SSH login.
Change the font size
Change margin width
Change background colour