/
Least Privileged Linux User for Probe

Least Privileged Linux User for Probe

Owned by Ryan Seymour, created
Last updated: Apr 09, 2025
2 min read

Objective: To create a dedicated Linux user account with minimal permissions, used exclusively for running a probe agent scan that performs read-only scanning of system, application, and user information, with write access only to the probe's installation directory.

Create User

Create the user by running the following command as root or with sudo privileges.

sudo useradd -r -M -s /usr/sbin/nologin probeuser

  • -r = Creates a system user.

  • -M = Do not create a home directory.

  • -s = /usr/sbin/nologin: (Prevents login access)

You can replace 'probeuser' with your preferred username.

Create an Installation Directory and Assign Ownership

Assuming your probe is installed at /opt/probe

sudo mkdir -p /opt/probe sudo chown probeuser: /opt/probe sudo chmod 750 /opt/probe

Only 'probeuser' and root can read/write here. Others have no access.

Grant Read Access to System Files (optional)

If the probe needs to read files like /etc/passwd, /var/log/, or /proc/, and encounters permission issues, please consider the following commands.

sudo setfacl -m u:probeuser:r /var/log/syslog

Repeat as needed for required files.

Add to Specific Read-Only Groups (optional)

Consider the following command if the probe requires access to group-restricted resources

(Example: ‘adm’ for logs).

sudo usermod -aG adm probeuser

This is safer than granting broad sudo access.

Avoid Sudo or Elevated Access

Avoid granting sudo access unless necessary. If needed for a specific script.

sudo visudo

Add:

probeuser ALL=(ALL) NOPASSWD: /opt/probe/probe_script.sh

Replace with actual script path to limit access.

Verify Permissons

Test by switching to the user.

sudo -u probeuser -s cd /opt/probe touch testfile.txt

Check read access to required system files and logs.

Audit and Monitor

Optionally monitor 'probeuser' activity with auditd or similar tools to ensure compliance.

Action

Command Example

Action

Command Example

Create User

useradd -r -M -s /usr/sbin/nologin probeuser

Set Installation Directory

mkdir -p /opt/probe && chown probeuser

Optional Group Assignment

usermod -aG adm probeuser

Set ACLs if Required

setfacl -m u:probeuser:r /path/to/file

Limited Sudo (optional)

Add in visudo as needed

Need Support?

You can contact our support team by emailing support@connectsecure.com or visiting our Partner Portal, where you can create, view, and manage your tickets.

https://cybercns.freshdesk.com/en/support/login

image-20240206-144508.png

 

Related content