I administered users and groups with useradd/usermod, scoped privilege escalation through targeted sudoers rules, and tightened password policy with PAM. Granting specific sudo commands instead of full root enforced least privilege with an auditable trail.

Objective & Context

Account management is foundational access control. This lab creates service and human accounts, manages supplementary groups, writes least-privilege sudoers entries via drop-ins, and sets password aging, aligning to NIST AC-2/AC-6.

Environment & Prerequisites

  • Linux with shadow-utils, sudo, and PAM.
  • Root/sudo to manage accounts.
  • visudo for safe sudoers editing.

Step-by-Step Execution

1. Create a user with a primary and supplementary group

useradd -m -s /bin/bash -G web deploy && passwd deploy

2. Grant a scoped sudo rule [ROOT REQUIRED]

echo 'deploy ALL=(root) NOPASSWD:/usr/bin/systemctl restart nginx' | visudo -cf -

3. Enforce password aging

chage -M 90 -W 7 deploy && chage -l deploy
Maximum number of days between password change : 90

Validation & Testing

As the new user, confirm the single allowed sudo command works and any other is denied and logged. Pass criteria: least-privilege sudo enforced, group membership grants the intended file access, and password aging applies.

Advanced: Troubleshooting
  • Broken sudoers: always edit with visudo; a syntax error can lock out sudo entirely.
  • Group change not active: supplementary group changes need a fresh login.
  • Locked account: check passwd -S and PAM faillock state.

Key Results

  • Replaced blanket root with command-scoped sudo rules.
  • Managed access via supplementary groups, not per-file grants.
  • Enforced 90-day password aging with expiry warnings.
  • Kept an auditable trail of privileged command use.