[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] Security best practice - Remove or disable user accounts?



I've made a habit over the years to make a make a three step process out of it:

1. Keep the user, but lock their password
2. Rename the account to X-username, so the files still exist, but an
'ls -la' gives a nice reminder that the user is no longer with us.
This also prevents any errant crontabs from executing as this user
3. remove ~/.ssh - this shouldn't be necessary anymore, but it used to
be that some combinations of SSH server & OS would not check to see if
the password was locked, hence allowing logging by certificate

I vote for keeping the files and the user around. If someone has
interesting code or documentation, someone may want to refer to it
later. For instance, if someone wrote a blog post to his ~/public_html
directory on he solved a problem with some internal code, you don't
want it disappearing from your intranet search suddenly when they
leave. Same goes for his replacement wanting to nose around his
~/.profile for the environment variables he forgot to document. :)

2008/8/7 Jeff Lightner <jlightner at water.com>:
> At a former job the policy was to disable rather than remove user accounts.
>
> However, on checking for "best practices" I don't find any indication why
> this should be and find several references to removing them completely.
>
> Does anyone know of a best practice that explains why disabling would be
> preferable to removing?
>
> ----------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
> information and is for the sole use of the intended recipient(s). If you are
> not the intended recipient, any disclosure, copying, distribution, or use of
> the contents of this information is prohibited and may be unlawful. If you
> have received this electronic transmission in error, please reply
> immediately to the sender that you have received the message in error, and
> delete it. Thank you.
> ----------------------------------
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>



-- 
__author__ = 'Thomas Stromberg (Roswell, GA, USA)'
__blog__ = 'http://sprocket.io/'