---
tags: ccdc, NCCDC2019
---
# User Configuration Cheat Sheet
## Check that all unlocked user passwords were changed
``` bash
# As root run
passwd -a -S
# if -a option is unavailable:
for u in $(cat /etc/passwd | cut -d ":" -f1); do passwd -S $u; done
# the second value on each line indicates if the account is locked
# if it contains a 'P' the account is probably unlocked ensure
# all of these show the right day for the last passwd change.
# Example
# kellerj P 12/24/2018 0 99999 7 -1
```
## Check that the hashing algorithm is good
``` bash
# As root
cat /etc/shadow | awk -F "$" '{print $2}' | tr -d '\n'
# We hope for only 6s
# To change find pam configs change common-passwd pam_unix.so line:
# password [success=1 default=ignore] pam_unix.so obscure sha512
```
## passwd/shadow file permissions
### Check
``` bash
# As root
ls -l /etc/shadow /etc/passwd
# Alright outputs:
# -rw-r--r-- 1 root root 2373 Mar 5 10:29 /etc/passwd
# -r-------- 1 root shadow 1406 Mar 5 10:29 /etc/shadow
# -rw------- 1 root root 2373 Mar 5 10:29 /etc/passwd
# -r-------- 1 root shadow 1406 Mar 5 10:29 /etc/shadow
# -r-------- 1 root root 2373 Mar 5 10:29 /etc/passwd
# -r-------- 1 root shadow 1406 Mar 5 10:29 /etc/shadow
# -rw-r--r-- 1 root root 2373 Mar 5 10:29 /etc/passwd
# -rw------- 1 root shadow 1406 Mar 5 10:29 /etc/shadow
# Check other attributes:
lsattr /etc/shadow /etc/passwd
# Example output:
# ----i-------------- /etc/shadow
# --------------e---- /etc/passwd
# Explanation:
# The letters `acdeijstuACDST' select the new attributes for the files:
# append only (a), compressed (c), no dump (d), extent format (e),
# immutable (i), data journalling (j), secure deletion (s), no
# tail-merging (t), undeletable (u), no atime updates (A), no copy on
# write (C), synchronous directory updates (D), synchronous updates (S),
# and top of directory hierarchy (T).
# The following attributes are read-only, and may be listed by lsattr(1)
# but not modified by chattr: huge file (h), compression error (E),
# indexed directory (I), compression raw access (X), and compressed dirty
# file (Z).
```
### Set
``` bash
# As root:
# When you don't need to change/add user info and passwds:
chmod 400 /etc/shadow
chmod 400 /etc/passwd
# may have to use 440 if a different user needs to be able to authenticate
chattr +i /etc/shadow
chattr +i /etc/passwd
# To allow editing again:
chmod 600 /etc/shadow
chmod 600 /etc/passwd
chattr -i /etc/shadow
chattr -i /etc/passwd
```
## See what users can use sudo
``` bash
# As root
# Example directive: %wheel ALL=(ALL:ALL) NOPASSWD: ALL
less /etc/sudoers
# if a directive begins with '%' it indicates a group otherwise it is a user
# Check the members of the groups listed in the file
# (Note please change the example to the groups in your file)
getent group sudo wheel
# check to see if /etc/sudoers.d/ contains any files with more directives
ls -a /etc/sudoers.d/
# check files for more users and groups
# Ensure all users found in directives and groups are supposed to be there
# Check permissions of sudoers files (ensure only root can edit)
ls -l /etc/sudoers*
```
Sign in with Wallet
Connect another wallet