Account Provisioning Procedure¶
Version 1.0 | Classification: CONFIDENTIAL — Internal Use Only
Provisioning a New Admin Account¶
Step 1 — Obtain Approval¶
Submit a written request to the IT Manager with:
- Requestor name and role
- Systems requiring access
- Justification and duration (permanent or time-limited)
- Required permission level
Obtain written IT Manager approval before proceeding.
Step 2 — Create the Account¶
# On the target server(s)
sudo useradd -m -s /bin/bash -G wheel <username>
sudo passwd <username> # Set temporary password; user must change on first login
sudo chage -d 0 <username> # Force password change at next login
Step 3 — Deploy SSH Public Key¶
Obtain the user's SSH public key. Deploy it:
sudo mkdir -p /home/<username>/.ssh
sudo chmod 700 /home/<username>/.ssh
echo "<public_key>" | sudo tee /home/<username>/.ssh/authorized_keys
sudo chmod 600 /home/<username>/.ssh/authorized_keys
sudo chown -R <username>:<username> /home/<username>/.ssh
Step 4 — Configure sudo Access (if required)¶
# Create a dedicated sudoers file (never edit /etc/sudoers directly)
echo "<username> ALL=(ALL) ALL" | sudo tee /etc/sudoers.d/<username>
sudo chmod 440 /etc/sudoers.d/<username>
Step 5 — Update AIDE Baseline and Log¶
sudo aide --update && sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
echo "$(date -u +%Y-%m-%dT%H:%M:%SZ) [$(hostname)] PROVISION: account <username> created for <full name> — $(whoami)" \
| sudo tee -a /var/log/asset-inventory.log
Step 6 — Update the Access Review Log¶
Add the new account to the Access Review table.
Modifying an Account¶
Document the change in a Normal change request (see Change Management), obtain IT Manager approval, apply the change, update AIDE, and log the modification.
Revoking an Account¶
Time-sensitive
Revocation must complete within 24 hours of notification. Emergency revocation within 1 hour.
# 1. Lock the account immediately
sudo usermod -L <username>
# 2. Kill any active sessions
sudo pkill -u <username>
# 3. Remove SSH keys
sudo rm -f /home/<username>/.ssh/authorized_keys
# 4. Remove sudo access
sudo rm -f /etc/sudoers.d/<username>
# 5. Optionally disable the account entirely
sudo usermod -s /sbin/nologin <username>
# 6. Update AIDE baseline
sudo aide --update && sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# 7. Log the revocation
echo "$(date -u +%Y-%m-%dT%H:%M:%SZ) [$(hostname)] REVOKE: account <username> revoked — $(whoami)" \
| sudo tee -a /var/log/asset-inventory.log
If the individual had access to shared secrets (VPN PSK, Grafana password), rotate those immediately and log the rotation.
Provisioning · v1.1 · 2026-03-14 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only