Least Privileged Linux User for Probe

Modified on Tue, Jul 29 at 1:57 PM

Objective: To create a dedicated Linux user account with minimal permissions, used exclusively for running a probe agent scan that performs read-only scanning of system, application, and user information, with write access only to the probe's installation directory.


Create User

Create the user by running the following command as root or with sudo privileges.

sudo useradd -r -M -s /usr/sbin/nologin probeuser
  • -r = Creates a system user.

  • -M = Do not create a home directory.

  • -s = /usr/sbin/nologin: (Prevents login access)

You can replace 'probeuser' with your preferred username.


Create an Installation Directory and Assign Ownership

Assuming your probe is installed at /opt/probe

sudo mkdir -p /opt/probe
sudo chown probeuser: /opt/probe
sudo chmod 750 /opt/probe

Only 'probeuser' and root can read/write here. Others have no access.


Grant Read Access to System Files (optional)

If the probe needs to read files like /etc/passwd, /var/log/, or /proc/, and encounters permission issues, please consider the following commands.

sudo setfacl -m u:probeuser:r /var/log/syslog

Repeat as needed for required files.


Add to Specific Read-Only Groups (optional)

Consider the following command if the probe requires access to group-restricted resources

(Example: ‘adm’ for logs).

sudo usermod -aG adm probeuser

This is safer than granting broad sudo access.


Avoid Sudo or Elevated Access

Avoid granting sudo access unless necessary. If needed for a specific script.

sudo visudo

Add:

probeuser ALL=(ALL) NOPASSWD: /opt/probe/probe_script.sh

Replace with actual script path to limit access.


Verify Permissons

Test by switching to the user.

sudo -u probeuser -s
cd /opt/probe
touch testfile.txt

Check read access to required system files and logs.


Audit and Monitor

Optionally monitor 'probeuser' activity with auditd or similar tools to ensure compliance.

Action

Command Example

Create User

useradd -r -M -s /usr/sbin/nologin probeuser

Set Installation Directory

mkdir -p /opt/probe && chown probeuser

Optional Group Assignment

usermod -aG adm probeuser

Set ACLs if Required

setfacl -m u:probeuser:r /path/to/file

Limited Sudo (optional)

Add in visudo as needed


Need Support?

You can contact our support team by emailing support@connectsecure.com or visiting our Partner Portal, where you can create, view, and manage your tickets.

https://cybercns.freshdesk.com/en/support/login

image-20240206-144508.png

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article