I understand Linux creates and maintains a set of default groups e.g. root, wheel, etc.

1) Which groups do I maintain and what are the specific purposes of each group?

2) How can I make them more secure or don't I bother?

3) I understand that users by default are given a home directory when I run the command useradd.
3.1) Which commands should a normal user never be given?
3.2) If that user wishes to install a particular software, where would it be installed?
3.3) Is there a way I can run the command useradd and designate from the start what group the user belongs to?
3.4) How do I make certain that one user never access the folder of another?
3.5) Can I have logs for each specific user and how do I maintain these?

Thank you.

I understand Linux creates and maintains a set of default groups e.g. root, wheel, etc.

1) Which groups do I maintain and what are the specific purposes of each group?
On a general usage system (that is, not a production server) user ID's over 500 usually are the unprivileged user accounts, those between 1 and 500 are system accounts. System accounts are necessary for instance to control some processes' file/dir access or to help a root-owned process drop privileges and run under that account. Wheel is a privileged account to let lesser privileged users perform some system (maintenance) tasks. Some system accounts are created when installing applications. As long as they serve a purpose they do not need any maintenance after hardening AFAIK.


2) How can I make them more secure or don't I bother?
Configure and make sure process use those accounts (don't run as root), make sure their login shell is disabled, make sure their files and dirs have appropriately strict permissions set, set process limits and quota and chroot where necessary. Spose I usually forget some stuff, please check the LQ FAQ: Security references under "hardening".


3.1) Which commands should a normal user never be given?
Those that allow users to create, destroy or alter system/other users resources, processes, process credentials or files, some setuid/setgid root binaries. Depends on what the box purpose is, what's installed and what access a user should be allowed.


3.2) If that user wishes to install a particular software, where would it be installed?
I wouldn't allow users to install and run software without checking if it's a risk to the system. An easy way to enforce that would be to mount publicly writeable partitions (/tmp, /var/tmp) and /home with the noexec mount flag (will break some stuff) and patch the kernel with the GRSecurity patch and enable TPE. This will allow users to only execute binaries inside $PATH.


3.3) Is there a way I can run the command useradd and designate from the start what group the user belongs to?
Sure. Read the manual please.


3.4) How do I make certain that one user never access the folder of another?
Chmod 0700 /home/user0 . Note this doesn't work for toplevel dirs like /etc.


3.5) Can I have logs for each specific user and how do I maintain these?
Logging what? There's a patch for Bash. Are you going to run a shell server?