Master Linux Account Security: PAM, sudo, and GRUB Hardening Techniques

Account Security Controls

1. Basic Measures

1) System account cleanup

Set non‑login users' shell to /sbin/nologin, lock long‑unused accounts, delete unnecessary accounts, and lock the passwd and shadow files.

2) Password security control

Set password expiration: chage -M 30 username Force password change at next login:

chage -d 0 username

3) Command history limitation

Reduce the number of stored commands (default 1000) and automatically clear history on logout.

4) Automatic terminal logout

Configure idle timeout to log out after 600 seconds of inactivity.

2. Using the su Command

Switch user with su - username. Root can switch without a password; regular users must provide the target user's password.

1) Restricting su usage

By default any user can use su, which poses a security risk. Use the pam_wheel module to allow only specific users (e.g., members of the wheel group).

Configuration steps:

Add authorized users to the wheel group: gpasswd -a username wheel Verify group membership: grep wheel /etc/group Edit /etc/pam.d/su to enable pam_wheel.so (remove the leading # on the line auth required pam_wheel.so use_uid).

Resulting behavior:

Both lines disabled : All users can su (root without password).

First line enabled, second disabled : Only root can su without password.

Second line enabled : Only root and members of wheel can use su.

First line disabled, second enabled : Only wheel members can su; root is also blocked.

2) Enabling pam_wheel authentication

After adding users to wheel and uncommenting the auth required pam_wheel.so use_uid line, non‑wheel users will receive a “permission denied” message when attempting su. All attempts are logged to /var/log/secure.

3. Linux PAM Security Authentication

1) Risks of the su command

Any user can repeatedly try passwords for other accounts (e.g., root), creating a brute‑force vector.

2) Pluggable Authentication Modules (PAM)

PAM provides a flexible, modular authentication framework widely used on Linux servers.

3) PAM authentication flow

Service → PAM configuration file (under /etc/pam.d) → PAM module ( pam_*.so) located in /lib64/security or /lib/security.

4) PAM control flags

required : All such modules must succeed; failures are reported after all modules run.

requisite : Failure aborts the authentication immediately.

sufficient : Success short‑circuits the stack; failure is ignored.

optional : Result is ignored unless it is the only module.

include : Includes another PAM configuration file.

5) PAM module fields

Each line consists of: type (auth, account, password, session), control flag , module path , and module arguments .

6) Example: Checking if a program uses PAM

List PAM files: ls /etc/pam.d | grep su View the su PAM file:

cat /etc/pam.d/su

7) PAM authentication process

required failure: continue processing, final result is failure.

requisite failure: abort immediately with failure.

sufficient success: return success immediately.

optional : informational only.

4. Using sudo for Privilege Elevation

sudo

runs commands as another user (typically root) without sharing the root password.

Configure via visudo or edit /etc/sudoers (file mode 0440; use :wq! to force write).

Syntax examples:

user host = command_list

user host = (runas_user) command_list

Common options: -l: list allowed/denied commands. -v: validate timestamp. -u: run as specified user. -k: invalidate timestamp.

Example granting wangliu permission to run useradd and usermod as root:

wangliu ALL=(root) /usr/sbin/useradd, /usr/sbin/usermod

5. Restricting GRUB Boot Parameters

Prevent unauthorized modification of GRUB entries by setting a password.

Generate a PBKDF2 hash: grub2-mkpasswd-pbkdf2 Backup configuration files:

cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak

cp /etc/grub.d/00_header /etc/grub.d/00_header.bak

Edit /etc/grub.d/00_header and add:

set superusers="root"
password_pbkdf2 root <em>generated_hash</em>

Regenerate GRUB configuration: grub2-mkconfig -o /boot/grub2/grub.cfg After reboot, editing GRUB entries requires the password.

6. Shutdown and Power‑On Security Controls

Adjust BIOS to boot from the internal disk first and disable boot from external media. Set BIOS security level to “setup” and configure an administrator password.

7. Weak Password Detection

Use John the Ripper to audit password hashes.

Installation steps:

cd /opt
tar -zxf john-1.8.0.tar.gz
yum install -y gcc gcc-c++ make
cd john-1.8.0/src
make clean linux-x86-64

Prepare the shadow file: cp /etc/shadow /opt/shadow.txt Run the cracker: ./john /opt/shadow.txt Show cracked passwords:

./john --show /opt/shadow.txt

8. Network Port Scanning with Nmap

Install nmap: yum install -y nmap Common options: -p specify ports. -n skip DNS resolution. -sS SYN (half‑open) scan. -sT TCP connect scan. -sF FIN scan (detects firewall behavior). -sU UDP scan. -sP ICMP ping scan. -Pn treat all hosts as up (skip ping).

9. Additional PAM Hardening for SSH

Add the following line to /etc/pam.d/sshd to limit failed login attempts:

auth required pam_tally2.so deny=3 unlock_time=600 even_deny_root root_unlock_time=1200

Manage lockouts:

Check attempts: pam_tally2 --user username Reset attempts:

pam_tally2 --user username --reset