How To Achieve Secure and Efficient Infrastructure Management Using A Linux Distribution

Introduction:

Welcome back. Today we will be showcasing how an orginzation can use a Linux distribution to create a secure and efficient user management system.

In today’s world managing various IT resources effectively and securely is paramount. This includes segregating data and system access according to the specific roles and responsibilities of each department. Each user must have access to their relevant data and systems but not that of others. This ensures a clean division of responsibilities, enhances data security, and minimizes potential data breaches. This is an important concept known as “Least privilege”. To demostarte this we will be using our example of Level Up Bank.

Scenario

Level Up Bank recognizes the need to constantly evolve its IT infrastructure to meet the demands of its internal operations and customer services. With a rapidly growing team across various departments such as Development, Operations, and Analytics, a secure and efficient user management system is needed. As Level Up Bank expands its teams, ensuring the privacy and security of individual user profiles becomes crucial. Level Up Bank respect the privacy of its employees and wants to ensure that their individual profiles and associated data are not exposed to unauthorized viewing or editing. This is a critical aspect of data privacy and compliance regulations. Moreover, considering the expanding scale of operations, it’s important to incorporate automation to manage repetitive administrative tasks efficiently. By creating scripts that automate user and access management tasks, Level Up Bank can save time, improve accuracy, and ultimately scale its processes as its team grows.

This project maps directly to the business needs of LevelUp Bank (and, in fact, of any growing organization) in managing its IT infrastructure efficiently and securely.

Prerequisites

• A Linux distribution
• Basic knowledge of bash scripting
• If using an EC2 instance knowledge of how to SSH into your instance

Step One: Create Directories

For this project a quick note before we begin. I will first type su sudo into my terminal to change myself to the root user. This is not recommend to do on your personal device. As root user you can do anything you want. This could lead to potential irreversible damage to your system. I will be using an EC2 instance and will be root user to allow myself to easily accomplish all my steps. However you can achieve root status using the sudo command. With that out of the way let’s really begin.

As root user I will create three directories named Developers(keep your eyes on this one) Operations and Analytics to do this I will type mkdir Developers Operations Analytics into my terminal.

Unlike when you use your GUI(graphical user interface) one of the powers of using the terminal is it allows use to do most actions quickly and in larger volume

Next lets make some files for our directories. To do this we can use the cd command to enter our Development directory and the use the touch followed by the name of the file we want to make. Since I was in banking for 10 years lets try to be a little creative in our dummy file names. For the Developers directory lets name them OTP.txt, Esign.txt NetOx.txt.

Let’s press enter and see what happens

Bam! We have our three files. Now we will finish with Operations and Analytics. For Operations I want to have s pace in my file’s name. I can do this by putting it between quotation marks like this "File Name"

For Analytics I am feeling lazy and don’t want to go into the directory first. I can make a file into the directory I want from my current parent directory by using a forward slash and path route like this home/path/filename

I can also use the backslashs and a space to make a space in my file name by typing file\ name

As you can see Analytics has all the desired files. Onwards to the next step.

Step Two: Making Groups and Setting Permissions

For our Bank linux system we will now create some groups name Developers, Operations, Data Analysts that will be assigned to each working directory. To do this we will use the command groupadd I will simply type then groupadd Developers Operations DataAnalysts and press enter. To confirm that the groups have been created I can use the cat /etc/passwds command and see a list of users on my system.

As you can see towards the bottom my three groups now exist. Now let’s talk about permissions. On Linux disturbutions each owner, group, and other(everyone that is not the owner or in the group) each have their own set of permissions. These permissions include Read, Write, Execute. We can define them using the Linux Foundation definition:

• read — The Read permission refers to a user’s capability to read the contents of the file.
• write — The Write permissions refer to a user’s capability to write or modify a file or directory.
• execute — The Execute permission affects a user’s capability to execute a file or view the contents of a directory.

That being said let’s take a look at our current directories’ permissions

As we can see there is a series of letters. These represent the current permissions of the directory. These are seperated into segements of three. One for the user, one for the group, and one for others. After the d is our first segement which shows the owner (root) has read, write, and execute permissions. The second segment shows the group(currently still root) has read permissions, no writing permissions, and execute permissions. Finally, other users have only read permissions, no writing permissions, and execute permissions as well. We can change this however to better secure our working enviroment.

But wait!! Now that I think about it having a directory named Developers and a group named Developers might be confusing. So before we change permissions let’s rename our directory we can change the name our our directory by using mv command. Let us do that now and change the Developers directory into Development.

Much better :)

Now let’s go ahead and change the owner of each directory to their respective group and change permissions. To change the owner of each directory to their respective group we can type chown -R group_name /path/to/directory let’s start with our Developer’s group

After typing this in and pressing enter let’s go look at our Delvelopment directory and see who the owner is.

As we can see Developers group is the owner of the Development directory. Now we will do the same for Operations and DataAnalysts groups.

Now all our groups are assigned to their respective directories. With that done let’s modify the permissions of the directories so that only the owner of the group can read, write and execute. We only want the correct users to have the needed access. Other users should not be able to access the directory if they are not in the correct group. To do this we can simply type the command chmod 770 directory_name

This will make it so only the owner and group can have read, write and execute permissions. This keeps other teams and unauthorized users from accessing each directory.

Step 3: Creating Users and Assigning Them to Groups

Okay, let’s make some user’s now. These will be the actual bank employees assigned to each department’s group directory. To create their profiles including their work email we will use this simple command useradd -m -c "Name <email>" username We will create the following user’s

• Jess Waller, username= jwaller, email=jwaller@‌levelupbank.com, group= Developers
• Blake Dorsey, username= bdorsey, email=bdorsey@‌levelupbank.com, group= Operations
• Joey Ewart, username= jewart, email=jewart@levelupbank.com, group= Data Analysts

We can then type cat /etc/passwd to confirm our user exists

Great! But to further security let’s change Jess’s password to her company default password. To do this we can simply type passwd username

Great we will do the same process for the other two users. Next let’s assign our users to their groups. To change group membership for a user simply type user -aG Group_Name username after doing so to confirm if we were successful we can type groups username let’s give it a try

Success!!! Now we will do the same for our other users. Let’s now confirm if our users can access their group directories but not their colleagues. To do this let’s switch users by typing su username and trying to cd into the group directory that user belongs to, and try to enter a directory they do not.

As root user I went to the Development directory to see if Jess Waller who is a memeber of the Developer group can access the contents of the directory. As you can see above she was successful in listing the files. Now let’s switch back to root user and go to another directory then switch back to Jess.

As shown Jess can not open the Operations directory as she is not a memeber of the Operations group. Thus ensuring we follow the concept of “Least Privilege”. Now just to confirm another user to drive the point home. Let’s use Blake Dorsey.

As we can see Blake Dorsey a member of the Operations group can cd into Operations but he can not into Analytics. That is the power of “Least Privilege.

Conclusion

I hope this shows how with setting permissions and keeping users to their assigned work areas has shown how Level Up Bank or any company can keep their IT infrastructure efficiently and securely. There could be more we could do such as setting permissions so that users can only view their own profile, or making a bash script that will do everything that we just did with one command. But we will save that for another day. Until next time, see you!