5.13. Special accounts

It is important to DISABLE ALL default vendor accounts that you don't use on your system, some accounts exist by default even if you have not installed the related services on your server. This should be checked after each upgrade or new software installation. Linux provides these accounts for various system activities, which you may not need if the services are not installed on your server. If you do not need the accounts, remove them. The more accounts you have, the easier it is to access your system.

We assume you are using the Shadow password suite on your Linux system. If you are not, you should consider doing so, as it helps to tighten up security somewhat. This must already be set if you've followed our instructions till now and selected under the Authentication Configuration the option to Enable Shadow Passwords see Post Partitioning for more information. To delete user on your system, use the command:

               [root@deep] /# userdel username
To delete group on your system, use the command:

               [root@deep] /# groupdel username

  1. Type the following commands on your terminal to delete users listed below:
               [root@deep] /# userdel adm
                   [root@deep] /# userdel lp
                   [root@deep] /# userdel sync
                   [root@deep] /# userdel shutdown
                   [root@deep] /# userdel halt
                   [root@deep] /# userdel news
                   [root@deep] /# userdel uucp
                   [root@deep] /# userdel operator
                   [root@deep] /# userdel games       (1)  
                   [root@deep] /# userdel gopher
                   [root@deep] /# userdel ftp         (2)

    Delete this user if you don't use X Window Server.
    Delete this user if you don't use ftp anonymous server.
    By default, the userdel command will not delete a user's home directory. If you want the home directories of accounts to be deleted too, then add the -r option to the userdel command.

  2. Type the following commands on your terminal to delete the usersgroups listed below:
               [root@deep] /# groupdel adm
                   [root@deep] /# groupdel lp
                   [root@deep] /# groupdel news
                   [root@deep] /# groupdel uucp
                   [root@deep] /# groupdel games      (1) 
                   [root@deep] /# groupdel dip
                   [root@deep] /# groupdel pppusers
                   [root@deep] /# groupdel popusers   (2) 
                   [root@deep] /# groupdel slipusers

    Delete this group if you don't use X Window Server.
    Delete this group if you don't use pop server for email.

  3. Add the necessary user to the system, to add a new user on your system, use the command:
               [root@deep] /# useradd username
    To add or change password for user on your system, use the command:
               [root@deep] /# passwd username
    For example:
               [root@deep] /# useradd admin
                   [root@deep] /# passwd admin
    The output should look something like this.
               Changing password for user admin
                   New UNIX password: somepasswd
                   passwd: all authentication tokens updated successfully

  4. The immutable bit can be used to prevent accidentally deleting or overwriting a file that must be protected. It also prevents someone from creating a symbolic link to this file, which has been the source of attacks involving the deletion of /etc/passwd, /etc/shadow, /etc/group or /etc/gshadow. To set the immutable bit on the passwords and groups files, use the command:
               [root@deep] /# chattr   +i /etc/passwd
                   [root@deep] /# chattr   +i /etc/shadow
                   [root@deep] /# chattr   +i /etc/group
                   [root@deep] /# chattr   +i /etc/gshadow

Note: In future, if you intend to add or delete users, passwords, usergroups, or group files, you must unset the immutable bit on all those files or you will not be able to make your changes. Also if you intend to install an RPM program that will automatically add a new user to the different immunized passwd and group files, then you will receive an error message during the install if you have not unset the immutable bit from those files.