Topics

  • Creating users and groups
  • User modification and deletion
  • Password aging policies
  • Sudo configuration

exercise_01.sh

executable safe: no requires: root
#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail

# Exercise 1: Create a new devusers group. Create new users named devuser1, devuser2, and devuser3,
# and add them to the devusers group. Add devuser1 to the wheel group.
#
# Task: Set up a new group and three users with proper group memberships.

sudo groupadd devusers
sudo useradd -G devusers devuser1
sudo useradd -G devusers devuser2
sudo useradd -G devusers devuser3
sudo usermod -aG wheel devuser1

# Set passwords for the users
echo "Password for user devuser1"
sudo passwd devuser1
echo "Password for user devuser2"
sudo passwd devuser2
echo "Password for user devuser3"
sudo passwd devuser3

# Verify user configurations
id devuser1
id devuser2
id devuser3

# Verify group memberships
getent group wheel
getent group devusers

exercise_02.sh

executable safe: no requires: root
#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail

# Exercise 2: Modify the devuser3 account. Change the comment field to "Senior Developer - devuser3",
# add him to an existing secondary group named sshd, and change their default shell to /usr/sbin/nologin.
# Ensure that existing secondary groups are preserved.
#
# Task: Modify user attributes including comment, shell, and group membership.

sudo usermod -c "Senior Developer - devuser3" -aG sshd -s /usr/sbin/nologin devuser3

# Verify the changes
getent passwd devuser3
id devuser3

exercise_03.sh

executable safe: no requires: root
#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail

# Exercise 3: Lock the devuser2 account. Verify the change by checking entry in /etc/shadow.
#
# Task: Lock a user account and verify the lock status in the shadow file.

sudo usermod -L devuser2

# Verify the lock (should see '!' before the password hash)
sudo grep devuser2 /etc/shadow

exercise_04.sh

executable safe: no requires: root
#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail

# Exercise 4: Delete the devuser2 account, ensuring the home directory is also deleted.
# Verify that the entry is no longer in /etc/passwd.
#
# Task: Remove a user account completely including their home directory.

sudo userdel -r devuser2

# Verify deletion
sudo grep devuser2 /etc/shadow
sudo ls /home

exercise_05.sh

executable safe: no requires: root
#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail

# Exercise 5: For devuser1, set the minimum number of days between password changes to 8 and 
# the maximum number of days to 40. Set the warning period before devuser1's password expires 
# to 14 days. Force devuser1 to change their password on the next login. 
# Set the devuser1's account to expire on December 30, 2028.
#
# Task: Configure password aging and account expiration settings for a user.

sudo chage -m 8 -M 40 -W 14 -d 0 -E 2028-12-31 devuser1

# Verify the settings
sudo chage -l devuser1

exercise_06.sh

executable safe: no requires: root
#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail

# Exercise 6: Create a new file /etc/sudoers.d/devs using visudo with option -f. 
# In this new file, add a rule that allows the user devuser2 to run all commands as root 
# without needing a password. Add a rule that allows the group devusers to run all commands 
# defined by alias SERVICES from /etc/sudoers as root that require a password. 
# Make sure SERVICES is uncommented in /etc/sudoers.
# Will devuser2 be required to use a password for /usr/bin/systemctl start?
#
# Task: Configure sudo rules for users and groups with specific permissions.

# Create the sudoers file using visudo
sudo visudo -f /etc/sudoers.d/devs

# Add these lines to the file:
# devuser2 ALL=(ALL) NOPASSWD: ALL
# %devusers ALL=(ALL) SERVICES

# Answer: No, devuser2 will not be required to use a password for /usr/bin/systemctl start
# because devuser2 has NOPASSWD for ALL commands.

echo "After running this script, edit /etc/sudoers.d/devs with:"
echo "devuser2 ALL=(ALL) NOPASSWD: ALL"
echo "%devusers ALL=(ALL) SERVICES"