Blog

Disabled account monitoring

Removing a terminated employee’s server accounts can be error-prone; the person responsible for removing accounts may simply not be aware that the former employee had accounts on some machines.

Here’s a tip for using Halo to make sure that server access is revoked for all accounts that should no longer be active.


“Disabled account” configuration monitoring

Halo has a built-in check that can alert you if certain accounts on your servers have had recent logins.  It takes just a few steps to provide regular checks for account access.

First, create a new configuration policy called “Disabled account monitoring”.  In this policy create a rule called “Monitor permanently disabled accounts”.  Add a new check and select “No recent account login”.  In the “Users” box, enter the names of accounts that should not be active.  These could include:

  • Accounts for former employees
  • Accounts for contractors, temporary staff, or interns
  • System accounts that should never have direct login, such as httpd, tcpdump, and mysql
  • Accounts used in QA, testing, or development that should not have active logins

In the “number of days” field, fill in 90 days or more.

Disabled account monitoring

Finally, take this policy and apply it to all your server groups.  After the next scan you’ll be alerted if any of those accounts have had active recent logins on any Halo protected server.  You can then use Halo’s Server Access module to deactivate these accounts.

Recently terminated accounts

To handle new or recent terminations, create new rules with names such as “Terminated accounts 2013-01-15”.  Add a “No recent account login” check to these as well.  Put in the account names of people who were terminated that day or week, but pick a lower number of days, perhaps 5.  For a few days after their last login they’ll show up on the Configuration scan report, but after that they’ll only show up if someone attempts to login using one of those accounts.

Creating this rule and check for all terminated accounts should be part of your HR checklist for termination.

Disabled account monitoring
One nice side benefit of putting in separate rules and checks is that you now have an audit trail of when the termination happened.

Go back once a month to this policy and raise any “number of days” values by 30 until they reach 90.

Shouldn’t we delete old accounts?

Absolutely – that’s your best line of defense.  These Halo rules provide additional, ongoing checks to make sure there’s no account activity.

You can even use Halo to confirm that the account has been removed with a File Presence check; alert if “.bash_logout” exists in any home directories of accounts that should have been completely deleted:

Disabled account monitoring
By applying this policy to all your servers, you get alerted if an old account exists and/or has recent account activity with almost no effort.

We’d like to thank Phil Cox at Rightscale for his recent blog on security monitoring.  He reminded us that we’ve never done a blog about alerting on disabled account activity.

Related Posts