6 Configure user account security I'd like to see more in this Area on design of access control schemas to meet access control policy, i.e. use of groups (which, in some senses, equates to Role-Based Access Control).
Task 1 - "Create secure home directory partitions" - I'm not sure what is meant here. Does it mean, making /home a separate filesystem? Or setting permissions correctly? Task 2 - "Use shadow passwords" - I've been using shadow passwords for years with no thought whatsoever. Distros just install the shadow package, and off we go. Does this mean use pwconv, grpconv, etc.? Because that's ancient history, these days. Task 3 - "Use conservative account password aging", etc - Define "conservative". Password aging, expiry, etc. are normally defined in policy documents, and it's up to our admin to implement them.. This needs to be rewritten in terms like "Use the chage command to set the number of days after which a password will expire. Use the chage command to set the minimum number of days that must elapse before a password may be changed", and so on. Task 4 - "Require complex passwords" - again, most distros these days use libcrypt by default (I recently had to delve in there to turn it *off*, for use in a primary school.). You might ask a candidate to be able to read the contents of /etc/pam.d in order to *confirm* that password strength checking is enabled, though. Task 5 - "Configure a restrictive umask" - Careful here; the umask values depend on the philosophy of the distro: Red Hat vs the rest. Task 6 - "Configure a secure path" - Perhaps this should be "Ensure that the root user's PATH variable does not include directories which could contain scripts placed there by users", or . . . Task 7 - "Configure appropriate ulimit values" - Again, who decides what's "appropriate". You don't want core dumps; I do. You have some large databases; I don't. And so on. Are we testing what's "appropriate", or knowledge of the ulimit command Task 8 - "Configure user and group disk quotas" - I think this is covered elsewhere, and is not really directly security-related. Task 9 - "Check for weak passwords" - Perhaps belongs elsewhere , under a "Security Validation" Content Area. Anyway, we're using libcrypt, aren't we? Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] _______________________________________________ lpi-examdev mailing list [EMAIL PROTECTED] http://list.lpi.org/mailman/listinfo/lpi-examdev
