• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7069
  • Last Modified:

Disable system accounts on Solaris,HP-UX,IBM and Linux redhat and suse

HI ALL,

    Can some plesae tell how do i get the list of all system accounts that are not being used .How can i tell if the account
is not being used.
2.How can i disable the account .
3.What is using that account ???
4.Can Some one please shoe me how to get the system account list i know it is /etc/passwd but which ones are system accounts How Can i tell ...??? I need this info As soon As possible ......Thanks

   And all related information .

Thank YOU ALL .......
0
kaka123
Asked:
kaka123
  • 4
  • 3
  • 3
  • +1
5 Solutions
 
TintinCommented:
system accounts generally have a UID of <100 (but this will vary between systems).  It also depends a little on your definition of a "system account"

To list all accounts with UID <100, do

awk -F: '$3 < 100 {print}' /etc/passwd

As to disabling, what is using the account and if it is being used, that varies greatly.

Probably best you describe what problem you are trying to solve.  Do you have some auditors coming through at the moment?
0
 
kaka123Author Commented:
YES !! We are being aduit and i want to make sure before they hit our boxes we are on top of what should have been done long time a go .So how can i find if the account is being used and what service is using that before i go and disable that .What is the best way to handle this with out causing any issues .Thanks
0
 
TintinCommented:
As previously mentioned, there are too many variables to give a generic answer.

My suggestion would be to use a tool like Bastille to check the security of your systems.

See http://www.bastille-linux.org/
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
yuzhCommented:
The typical Unix system accounts are:
   daemon
   bin
   sys
   adm
   lp
   smtp
   uucp
   listen
   nobody
   noaccess
   nobody4

You can edit the /etc/passwd file to make system accounts have no login shell, add /bin/false shell, eg:

daemon:x:1:1::/:/bin/false
bin:x:2:2::/usr/bin:/bin/false
sys:x:3:3::/:/bin/false
adm:x:4:4:Admin:/var/adm:/bin/false
lp:x:71:8:Line Printer Admin:/usr/spool/lp:/bin/false
uucp:x:5:5:uucp Admin:/usr/lib/uucp:/bin/false
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:/bin/false
nobody:x:60001:60001:Nobody:/:/bin/false
noaccess:x:60002:60002:No Access User:/:/bin/false
nobody4:x:65534:65534:SunOS 4.x Nobody:/:/bin/false
sshd:x:1011:300:sshd privsep:/var/empty:/bin/false
mysql:x:1012:301:Mysql:/mysql:/bin/false

to disable the shell login for the above accounts. and you can still run the services
as the above users, eg run apache as user nobody etc.

0
 
JJSmithCommented:

With the exception of root(uid=0), disable/LocK all account with a UID below 100.

No external/remote users should be using 'uid's below 100.

Cheers
JJ
0
 
yuzhCommented:
You can modify the /etc/shadow file to lock the account, replace the password in the /etc/shadow file with the string "*LK*".

eg, I locked user "sshd" and "mysql", the shadow file for them looks like:
sshd:*LK*:::::::
mysql:*LK*:::::::

The format of  /etc/password is:
username:password:uid:gid:comment:home-directory:login-shell

where
'x' mean required to have password, 11029 UID, 1 is GID etc

and  format of  /etc/shadow file (only readable by root):

username:password:lastchg:min:max:warn:inactive:expire
0
 
TintinCommented:
The above will work for Solaris, HP/UX and Linux, but not for AIX.
0
 
kaka123Author Commented:
Thank you all for your reply I edited the /etc/shadow and for system accounts
daemon
   bin
   sys
   adm
   lp
   smtp
   uucp
   listen
   nobody
   noaccess
   nobody4
   I put "No login" for Hp-UX and for aix what I did I edited the /etc/security/user file and false for all the accounts above .for Solaris and Linux I am using what yuzh have suggested.Can any please tell me if i am on the right track ?????Thanks ALL for your reply.
thank you ALL....
0
 
TintinCommented:
Please note that by default, those accounts you have "locked" were already effectively locked.

For example, let's look at the daemon user on Solaris, the default  /etc/passwd entry is:

daemon:x:1:1::/:

and default /etc/shadow entry is:

daemon:NP:6445::::::

Any invalid entry in column 2 of the /etc/shadow file means it has a password that can't be used.  The only way you can "login" to this user is to do

su - daemon

as the root user.  To prevent this (although if you're root already, I don't see the point), you need to add

/bin/false (or similar) to the /etc/passwd entry, eg:

daemon:x:1:1::/:/bin/false
0
 
yuzhCommented:
When you edit the /etc/passwd file and /etc/shadow file, you need to make sure
you have the correct format as in http:#17189508, and they should looks like the
example in:
http:#17181159 and http:#17189508
0
 
kaka123Author Commented:
greate Thank you all for your reply ...
Thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now