Re: Completely locking out a user
On Sat, Feb 04, 2023 at 11:40:49AM +0100, Henning Follmann wrote:
> On Fri, Feb 03, 2023 at 04:27:06PM +0100, Nicolas George wrote:
> > Hi.
> >
> > When there is a suspicious access to a user account, we want to lock
> > this account until we made sure. So “:-:” in /etc/shadow and shell to
> > /bin/false, and “sudo -u user kill -9 -1”.
> >
> > But, at least with the default configuration, these will not block:
> >
> > - crontabs or atjobs that download instructions from the web;
> >
> > - .procmailrc or “|something” in .forward;
> >
> > - probably one or two mechanisms I forgot about.
> >
> > PAM might be able to help for some of these, but not all.
> >
> > I tried to search on the web, but did not find anything relevant, which
> > is somewhat surprising to me.
> >
> > Do you know of any extensive discussion about this topic, to help me set
> > something up without leaving too many holes?
> >
> I think it would be a good idea to temporary ban/move the home directory.
> mv /home/<user> /home/banned_<user>
> To disconnect any automatisms like procmail etc.
> If you do this, any automatisms would trigger an error which show up in the
> log. A good way to find these (I think).
>
> Next find any left files of that user in /var (likely the temp
> files are located here), /run (if you have to keep the system running, a
> reboot would flush those out)
> find /var -type f -uid <userID> -print
>
And I forgot,
if the user was part of the group "sudo" or had explicitly rights in the
sudoers file, torch the system.
-H
--
Henning Follmann | hfollmann@itcfollmann.com
Reply to: