?
Solved

Disable system accounts on Solaris,HP-UX,IBM and Linux redhat and suse

Posted on 2006-07-24
11
Medium Priority
?
7,045 Views
Last Modified: 2013-12-06
HI ALL,

    Can some plesae tell how do i get the list of all system accounts that are not being used .How can i tell if the account
is not being used.
2.How can i disable the account .
3.What is using that account ???
4.Can Some one please shoe me how to get the system account list i know it is /etc/passwd but which ones are system accounts How Can i tell ...??? I need this info As soon As possible ......Thanks

   And all related information .

Thank YOU ALL .......
0
Comment
Question by:kaka123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 1000 total points
ID: 17173050
system accounts generally have a UID of <100 (but this will vary between systems).  It also depends a little on your definition of a "system account"

To list all accounts with UID <100, do

awk -F: '$3 < 100 {print}' /etc/passwd

As to disabling, what is using the account and if it is being used, that varies greatly.

Probably best you describe what problem you are trying to solve.  Do you have some auditors coming through at the moment?
0
 

Author Comment

by:kaka123
ID: 17177233
YES !! We are being aduit and i want to make sure before they hit our boxes we are on top of what should have been done long time a go .So how can i find if the account is being used and what service is using that before i go and disable that .What is the best way to handle this with out causing any issues .Thanks
0
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 1000 total points
ID: 17179458
As previously mentioned, there are too many variables to give a generic answer.

My suggestion would be to use a tool like Bastille to check the security of your systems.

See http://www.bastille-linux.org/
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 38

Assisted Solution

by:yuzh
yuzh earned 1000 total points
ID: 17181159
The typical Unix system accounts are:
   daemon
   bin
   sys
   adm
   lp
   smtp
   uucp
   listen
   nobody
   noaccess
   nobody4

You can edit the /etc/passwd file to make system accounts have no login shell, add /bin/false shell, eg:

daemon:x:1:1::/:/bin/false
bin:x:2:2::/usr/bin:/bin/false
sys:x:3:3::/:/bin/false
adm:x:4:4:Admin:/var/adm:/bin/false
lp:x:71:8:Line Printer Admin:/usr/spool/lp:/bin/false
uucp:x:5:5:uucp Admin:/usr/lib/uucp:/bin/false
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:/bin/false
nobody:x:60001:60001:Nobody:/:/bin/false
noaccess:x:60002:60002:No Access User:/:/bin/false
nobody4:x:65534:65534:SunOS 4.x Nobody:/:/bin/false
sshd:x:1011:300:sshd privsep:/var/empty:/bin/false
mysql:x:1012:301:Mysql:/mysql:/bin/false

to disable the shell login for the above accounts. and you can still run the services
as the above users, eg run apache as user nobody etc.

0
 
LVL 6

Expert Comment

by:JJSmith
ID: 17188708

With the exception of root(uid=0), disable/LocK all account with a UID below 100.

No external/remote users should be using 'uid's below 100.

Cheers
JJ
0
 
LVL 38

Accepted Solution

by:
yuzh earned 1000 total points
ID: 17189508
You can modify the /etc/shadow file to lock the account, replace the password in the /etc/shadow file with the string "*LK*".

eg, I locked user "sshd" and "mysql", the shadow file for them looks like:
sshd:*LK*:::::::
mysql:*LK*:::::::

The format of  /etc/password is:
username:password:uid:gid:comment:home-directory:login-shell

where
'x' mean required to have password, 11029 UID, 1 is GID etc

and  format of  /etc/shadow file (only readable by root):

username:password:lastchg:min:max:warn:inactive:expire
0
 
LVL 48

Expert Comment

by:Tintin
ID: 17189517
The above will work for Solaris, HP/UX and Linux, but not for AIX.
0
 

Author Comment

by:kaka123
ID: 17196532
Thank you all for your reply I edited the /etc/shadow and for system accounts
daemon
   bin
   sys
   adm
   lp
   smtp
   uucp
   listen
   nobody
   noaccess
   nobody4
   I put "No login" for Hp-UX and for aix what I did I edited the /etc/security/user file and false for all the accounts above .for Solaris and Linux I am using what yuzh have suggested.Can any please tell me if i am on the right track ?????Thanks ALL for your reply.
thank you ALL....
0
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 1000 total points
ID: 17196713
Please note that by default, those accounts you have "locked" were already effectively locked.

For example, let's look at the daemon user on Solaris, the default  /etc/passwd entry is:

daemon:x:1:1::/:

and default /etc/shadow entry is:

daemon:NP:6445::::::

Any invalid entry in column 2 of the /etc/shadow file means it has a password that can't be used.  The only way you can "login" to this user is to do

su - daemon

as the root user.  To prevent this (although if you're root already, I don't see the point), you need to add

/bin/false (or similar) to the /etc/passwd entry, eg:

daemon:x:1:1::/:/bin/false
0
 
LVL 38

Expert Comment

by:yuzh
ID: 17198612
When you edit the /etc/passwd file and /etc/shadow file, you need to make sure
you have the correct format as in http:#17189508, and they should looks like the
example in:
http:#17181159 and http:#17189508
0
 

Author Comment

by:kaka123
ID: 17200151
greate Thank you all for your reply ...
Thanks
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tech tip describes how to install the Solaris Operating System from a tape backup that was created using the Solaris flash archive utility. I have used this procedure on the Solaris 8 and 9 OS, and it shoudl also work well on the Solaris 10 rel…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses
Course of the Month14 days, 20 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question