Manage Server Accounts
Remove elevated user privileges
Server Account Management
The Server Account Management security module allows you to monitor and audit remote access to your servers by all of the servers' local user accounts. Halo scans your servers at a frequency that you specify, gathering account information and login history for all servers, then displaying it in a centralized location where you can review and act on it.
The module also provides basic account-management capabilities, allowing you to create, edit, or deactivate server accounts.
In an elastic cloud environment in which you may have hundreds of servers that come and go dynamically, using Halo for these purposes can save you time and also help to ensure complete coverage of your server installation.
Halo regularly performs server access scans and presents detailed results in the Halo portal. The results identify all local accounts on each server, noting each account's access privileges and recent login activity. From this information you can easily identify unexpected accounts, inappropriate privileges, and suspicious login activity on any of your servers.
You can improve the general level of security in your organization by making sure that every user account has only the access privileges appropriate to the role of the account's user, and no more.
One way to accomplish this is by performing an access scan on your servers, and then inspecting their local accounts for excessive privilege levels.
- On the Halo Dashboard, click the Access icon ( ) on the Halo Dashboard and then select your server group (or "All Servers"). Use the checkbox beside the Actions menu to select all servers within the group. Then choose Launch Scan from the Actions menu. The scan runs.
- When the scan completes, click a server's number of accounts (in the Root / Total column) on the Dashboard page to view a list of its accounts on the Server Access Details page. For a given account, note its summary information on that page, then click the account name to see the account details.
Based on the account's username, comments, and group membership, and the organizational responsibilities of its user (based on your own understanding or information about the user), assess whether any of the following account privileges needs to be adjusted:
- Root privilege. (in the account summary) If the value here is "yes", the account has root privileges. Remove root privileges if the account does not need them.
- Shell. This is the path to the account's shell application. Replace the shell path with
/bin/false(whichever is appropriate for the server) if the account should not have remote administrative access to the server.
- UID/GID. If the value in either field is "0", the account has root privileges. Remove root privileges if the account does not need them.
- Groups. If the account is a member of the "wheel" group, it can use the
sucommand to assume root level privileges. Remove the account from the group if those privileges are not needed.
- Sudo Access. This expression, if present, specifies the commands that the account can execute as root-level user through the
sudocommand. Remove or change this capability if it is not appropriate for this account.
- SSH Info. This indicates whether SSH keys are stored for this account, and what permissions are set on the account user’s
.sshdirectory. Make sure that the access restrictions on the directory are appropriately restrictive.
- You can make some of the above privilege changes from within Halo, by clicking the Edit link in the account details. On the Edit Local Account page, you can
- Change the account's UID.
- Change or delete the account's group memberships.
- Change or delete the account's shell path. Specifying the shell as
/bin/falseeffectively prevents remote access.
Also, you can use the CloudPassage API to update an account's SSH keys. To make other account changes, you'll need to locally administer the user's account on that server.
- Repeat this procedure for other accounts on the server, and other servers in the group.
Note: You can use the CloudPassage API automate much of the drudgery of combing through many local accounts on many servers. Follow the CloudPassage Community links below for details.
For more on Halo's account-management capabilities, see the Server Account Management Setup Guide.