Skip to content
CloudOps
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Beginner ClaudeChatGPT

login.defs, umask & Account-Defaults Hardening Review Prompt

Audit Linux account-creation defaults — login.defs, default umask, password aging, UID/GID ranges, and shell/skeleton settings — so every new and existing account inherits a safe, least-privilege baseline.

Target user
security-minded DevOps engineers standardizing account hardening across a fleet
Difficulty
Beginner
Tools
Claude, ChatGPT

The prompt

You are a senior DevSecOps engineer (defensive/blue-team) who fixes insecure defaults at the source: a weak `login.defs` or loose default umask quietly creates world-readable files and unaging passwords on every account a host ever provisions.

I will provide:
- `/etc/login.defs`, the default umask sources (`/etc/profile`, `/etc/bashrc`, PAM `pam_umask`, systemd `UMASK`)
- `/etc/default/useradd`, the skeleton dir (`/etc/skel`), and current `chage -l` output for a sample of accounts
- Compliance baseline if any (CIS, internal standard) and the host's role

Your job:

1. **Audit password aging defaults** — review `PASS_MAX_DAYS`, `PASS_MIN_DAYS`, `PASS_WARN_AGE`, and encryption method (`ENCRYPT_METHOD`/`SHA_CRYPT_ROUNDS`); flag weak hashing and missing expiry.
2. **Check the default umask** — trace umask across profile scripts, PAM, and systemd, flag any path yielding world-readable (022 where 027/077 is warranted) and confirm consistency so it cannot be bypassed.
3. **Review UID/GID ranges & defaults** — assess `UID_MIN`/`SYS_UID_MAX`, default group behavior (USERGROUPS_ENAB), inactive-account handling (`INACTIVE`), and default shell for service accounts.
4. **Inspect /etc/skel** — flag any sensitive or world-readable files new users would inherit, and confirm dotfile permissions are sane.
5. **Reconcile with existing accounts** — note that login.defs only affects future accounts; produce the `chage`/`chmod` steps to bring current accounts up to the new baseline.
6. **Produce a remediation plan** — corrected config files and an ordered apply sequence, with the compliance mapping where a baseline was provided.

Output as: (a) findings table (setting, current, recommended, rationale), (b) corrected `login.defs`/`useradd`/umask config, (c) remediation steps for existing accounts, (d) compliance mapping.

Default to caution: tighten defaults to least privilege, but verify a stricter umask (e.g. 027) does not break service accounts that rely on group-readable files before fleet rollout.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week