Solved

Disable system accounts on Solaris,HP-UX,IBM and Linux redhat and suse

Posted on 2006-07-24
11
7,015 Views
Last Modified: 2013-12-06
HI ALL,

    Can some plesae tell how do i get the list of all system accounts that are not being used .How can i tell if the account
is not being used.
2.How can i disable the account .
3.What is using that account ???
4.Can Some one please shoe me how to get the system account list i know it is /etc/passwd but which ones are system accounts How Can i tell ...??? I need this info As soon As possible ......Thanks

   And all related information .

Thank YOU ALL .......
0
Comment
Question by:kaka123
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 250 total points
ID: 17173050
system accounts generally have a UID of <100 (but this will vary between systems).  It also depends a little on your definition of a "system account"

To list all accounts with UID <100, do

awk -F: '$3 < 100 {print}' /etc/passwd

As to disabling, what is using the account and if it is being used, that varies greatly.

Probably best you describe what problem you are trying to solve.  Do you have some auditors coming through at the moment?
0
 

Author Comment

by:kaka123
ID: 17177233
YES !! We are being aduit and i want to make sure before they hit our boxes we are on top of what should have been done long time a go .So how can i find if the account is being used and what service is using that before i go and disable that .What is the best way to handle this with out causing any issues .Thanks
0
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 250 total points
ID: 17179458
As previously mentioned, there are too many variables to give a generic answer.

My suggestion would be to use a tool like Bastille to check the security of your systems.

See http://www.bastille-linux.org/
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 38

Assisted Solution

by:yuzh
yuzh earned 250 total points
ID: 17181159
The typical Unix system accounts are:
   daemon
   bin
   sys
   adm
   lp
   smtp
   uucp
   listen
   nobody
   noaccess
   nobody4

You can edit the /etc/passwd file to make system accounts have no login shell, add /bin/false shell, eg:

daemon:x:1:1::/:/bin/false
bin:x:2:2::/usr/bin:/bin/false
sys:x:3:3::/:/bin/false
adm:x:4:4:Admin:/var/adm:/bin/false
lp:x:71:8:Line Printer Admin:/usr/spool/lp:/bin/false
uucp:x:5:5:uucp Admin:/usr/lib/uucp:/bin/false
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:/bin/false
nobody:x:60001:60001:Nobody:/:/bin/false
noaccess:x:60002:60002:No Access User:/:/bin/false
nobody4:x:65534:65534:SunOS 4.x Nobody:/:/bin/false
sshd:x:1011:300:sshd privsep:/var/empty:/bin/false
mysql:x:1012:301:Mysql:/mysql:/bin/false

to disable the shell login for the above accounts. and you can still run the services
as the above users, eg run apache as user nobody etc.

0
 
LVL 6

Expert Comment

by:JJSmith
ID: 17188708

With the exception of root(uid=0), disable/LocK all account with a UID below 100.

No external/remote users should be using 'uid's below 100.

Cheers
JJ
0
 
LVL 38

Accepted Solution

by:
yuzh earned 250 total points
ID: 17189508
You can modify the /etc/shadow file to lock the account, replace the password in the /etc/shadow file with the string "*LK*".

eg, I locked user "sshd" and "mysql", the shadow file for them looks like:
sshd:*LK*:::::::
mysql:*LK*:::::::

The format of  /etc/password is:
username:password:uid:gid:comment:home-directory:login-shell

where
'x' mean required to have password, 11029 UID, 1 is GID etc

and  format of  /etc/shadow file (only readable by root):

username:password:lastchg:min:max:warn:inactive:expire
0
 
LVL 48

Expert Comment

by:Tintin
ID: 17189517
The above will work for Solaris, HP/UX and Linux, but not for AIX.
0
 

Author Comment

by:kaka123
ID: 17196532
Thank you all for your reply I edited the /etc/shadow and for system accounts
daemon
   bin
   sys
   adm
   lp
   smtp
   uucp
   listen
   nobody
   noaccess
   nobody4
   I put "No login" for Hp-UX and for aix what I did I edited the /etc/security/user file and false for all the accounts above .for Solaris and Linux I am using what yuzh have suggested.Can any please tell me if i am on the right track ?????Thanks ALL for your reply.
thank you ALL....
0
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 250 total points
ID: 17196713
Please note that by default, those accounts you have "locked" were already effectively locked.

For example, let's look at the daemon user on Solaris, the default  /etc/passwd entry is:

daemon:x:1:1::/:

and default /etc/shadow entry is:

daemon:NP:6445::::::

Any invalid entry in column 2 of the /etc/shadow file means it has a password that can't be used.  The only way you can "login" to this user is to do

su - daemon

as the root user.  To prevent this (although if you're root already, I don't see the point), you need to add

/bin/false (or similar) to the /etc/passwd entry, eg:

daemon:x:1:1::/:/bin/false
0
 
LVL 38

Expert Comment

by:yuzh
ID: 17198612
When you edit the /etc/passwd file and /etc/shadow file, you need to make sure
you have the correct format as in http:#17189508, and they should looks like the
example in:
http:#17181159 and http:#17189508
0
 

Author Comment

by:kaka123
ID: 17200151
greate Thank you all for your reply ...
Thanks
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question