Sooner or later, one of your users will be let go, find employment elsewhere, or win the lottery. When that happens you'll need to remove her account and ensure that she doesn't continue to have access after the fact.
The purpose of this guide is to outline some simple steps to disable an account while leaving a reasonable audit trail in place. It is written specifically for FreeBSD 6.x and 7.0, but the general concepts should apply (with different command implementations, perhaps) across many *nix systems.
Please note that the steps below were inspired by advice found in two excellent books:
- Essential System Administration, by Æleen Frisch
- Linux Server Hacks, by Rob Flickenger
-----------------------------------------
[ We'll call the unwelcome user account
starla for these examples. ]
Lock out future authentication attempts
First, we'll expire the account and give it a nologin shell.
Code:
# chpass -e 'Oct 01 06' starla
# chsh -s /usr/sbin/nologin starla
(For the first command, any Mmm dd yy in the past will do.)
Additional considerations:
- Did the user have access to any other accounts? Those passwords will need to be changed as well.
- While you're at it, it'd be a good idea to scan /etc/group and remove her account from any secondary groups.
Prevent other access methods and archive home
Next, we'll move her home directory, change its ownership, and restrict its permissions.
Code:
# mv /usr/home/starla /usr/home/starla.gone
# chown -R root /usr/home/starla.gone
# chmod -R go-rwx /usr/home/starla.gone
Keeping the home directory and its contents around may be needed as part of an audit trail. In some situations (depending on your rules and policies) it may be more appropriate to back it up and then delete it altogether.
Check for any running/automated processes
Here we'll look at any processes executing under her account.
Code:
# ps aux | grep '^starla'
Anything running? You'll need to look into it, determine what it is and why it's running, and ultimately kill it.
Next, we'll look for anything that may be scheduled to run using at or cron.
Code:
# atq
# crontab -u starla -l
Ditto here. Is anything that's automated necessary for normal business operation? If so, you'll need to get it moved to a more appropriate (service) account. If not, remove the entries.
Check for sudoer entries
If her account should not be accessed, then it most certainly should not be used to run commands via sudo. Verify and remove any entries containing the
starla user account with the command:
Check for any other files on the system owned by the account
A quick find invocation can provide us with this info.
Code:
# find / -user starla > starla-files
Anything turn up? Again, you'll need to investigate and change ownership (or remove) as needed.
If the user has a mailbox -- e.g. /var/mail/
starla -- you may want to back it up and then delete it.
Check for other application-level access
What services did the user have access to? Did the user have a mail alias set up? It would be a good idea to carefully review each of these configurations for references to
starla and remove them (or replace them with a new account, as appropriate).
-----------------------------------------
Hopefully this guide has provided a baseline for planning (or modifying) your user account removal procedures. Be diligent and thorough to make sure that when someone leaves, she is really gone.