Solved

Disable system accounts on Solaris,HP-UX,IBM and Linux redhat and suse

Posted on 2006-07-24
11
6,936 Views
Last Modified: 2013-12-06
HI ALL,

    Can some plesae tell how do i get the list of all system accounts that are not being used .How can i tell if the account
is not being used.
2.How can i disable the account .
3.What is using that account ???
4.Can Some one please shoe me how to get the system account list i know it is /etc/passwd but which ones are system accounts How Can i tell ...??? I need this info As soon As possible ......Thanks

   And all related information .

Thank YOU ALL .......
0
Comment
Question by:kaka123
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 250 total points
Comment Utility
system accounts generally have a UID of <100 (but this will vary between systems).  It also depends a little on your definition of a "system account"

To list all accounts with UID <100, do

awk -F: '$3 < 100 {print}' /etc/passwd

As to disabling, what is using the account and if it is being used, that varies greatly.

Probably best you describe what problem you are trying to solve.  Do you have some auditors coming through at the moment?
0
 

Author Comment

by:kaka123
Comment Utility
YES !! We are being aduit and i want to make sure before they hit our boxes we are on top of what should have been done long time a go .So how can i find if the account is being used and what service is using that before i go and disable that .What is the best way to handle this with out causing any issues .Thanks
0
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 250 total points
Comment Utility
As previously mentioned, there are too many variables to give a generic answer.

My suggestion would be to use a tool like Bastille to check the security of your systems.

See http://www.bastille-linux.org/
0
 
LVL 38

Assisted Solution

by:yuzh
yuzh earned 250 total points
Comment Utility
The typical Unix system accounts are:
   daemon
   bin
   sys
   adm
   lp
   smtp
   uucp
   listen
   nobody
   noaccess
   nobody4

You can edit the /etc/passwd file to make system accounts have no login shell, add /bin/false shell, eg:

daemon:x:1:1::/:/bin/false
bin:x:2:2::/usr/bin:/bin/false
sys:x:3:3::/:/bin/false
adm:x:4:4:Admin:/var/adm:/bin/false
lp:x:71:8:Line Printer Admin:/usr/spool/lp:/bin/false
uucp:x:5:5:uucp Admin:/usr/lib/uucp:/bin/false
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:/bin/false
nobody:x:60001:60001:Nobody:/:/bin/false
noaccess:x:60002:60002:No Access User:/:/bin/false
nobody4:x:65534:65534:SunOS 4.x Nobody:/:/bin/false
sshd:x:1011:300:sshd privsep:/var/empty:/bin/false
mysql:x:1012:301:Mysql:/mysql:/bin/false

to disable the shell login for the above accounts. and you can still run the services
as the above users, eg run apache as user nobody etc.

0
 
LVL 6

Expert Comment

by:JJSmith
Comment Utility

With the exception of root(uid=0), disable/LocK all account with a UID below 100.

No external/remote users should be using 'uid's below 100.

Cheers
JJ
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 38

Accepted Solution

by:
yuzh earned 250 total points
Comment Utility
You can modify the /etc/shadow file to lock the account, replace the password in the /etc/shadow file with the string "*LK*".

eg, I locked user "sshd" and "mysql", the shadow file for them looks like:
sshd:*LK*:::::::
mysql:*LK*:::::::

The format of  /etc/password is:
username:password:uid:gid:comment:home-directory:login-shell

where
'x' mean required to have password, 11029 UID, 1 is GID etc

and  format of  /etc/shadow file (only readable by root):

username:password:lastchg:min:max:warn:inactive:expire
0
 
LVL 48

Expert Comment

by:Tintin
Comment Utility
The above will work for Solaris, HP/UX and Linux, but not for AIX.
0
 

Author Comment

by:kaka123
Comment Utility
Thank you all for your reply I edited the /etc/shadow and for system accounts
daemon
   bin
   sys
   adm
   lp
   smtp
   uucp
   listen
   nobody
   noaccess
   nobody4
   I put "No login" for Hp-UX and for aix what I did I edited the /etc/security/user file and false for all the accounts above .for Solaris and Linux I am using what yuzh have suggested.Can any please tell me if i am on the right track ?????Thanks ALL for your reply.
thank you ALL....
0
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 250 total points
Comment Utility
Please note that by default, those accounts you have "locked" were already effectively locked.

For example, let's look at the daemon user on Solaris, the default  /etc/passwd entry is:

daemon:x:1:1::/:

and default /etc/shadow entry is:

daemon:NP:6445::::::

Any invalid entry in column 2 of the /etc/shadow file means it has a password that can't be used.  The only way you can "login" to this user is to do

su - daemon

as the root user.  To prevent this (although if you're root already, I don't see the point), you need to add

/bin/false (or similar) to the /etc/passwd entry, eg:

daemon:x:1:1::/:/bin/false
0
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
When you edit the /etc/passwd file and /etc/shadow file, you need to make sure
you have the correct format as in http:#17189508, and they should looks like the
example in:
http:#17181159 and http:#17189508
0
 

Author Comment

by:kaka123
Comment Utility
greate Thank you all for your reply ...
Thanks
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now