rdashokraj
asked on
Finding dormant/ unauthorized user in accounts solaris
Hi Folks,
I have to do a security audit in Solaris production servers; in which one of audit read like this:
"Check for dormant and unauthorized accounts. Review the accounts in /etc/passwd files. Review, investigate, and results documented for any accounts that have had no logins for the past 90 days or accounts still present from terminated employees".
My queries are as follows:
1) How can I check whether a particular account is active and how can I find the last time the user logged in?
2) How can I ensure whether an account is a normal one or it has some administrative previlage?
3) I have an entry like this in passwd file "zzzzzz:x:60002:60002:spec ial crontab account:/:/dev/null". What it represents? How can i ensure that this account is harmless?
Thanks,
Ashok
I have to do a security audit in Solaris production servers; in which one of audit read like this:
"Check for dormant and unauthorized accounts. Review the accounts in /etc/passwd files. Review, investigate, and results documented for any accounts that have had no logins for the past 90 days or accounts still present from terminated employees".
My queries are as follows:
1) How can I check whether a particular account is active and how can I find the last time the user logged in?
2) How can I ensure whether an account is a normal one or it has some administrative previlage?
3) I have an entry like this in passwd file "zzzzzz:x:60002:60002:spec
Thanks,
Ashok
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
jhartzen.
Could you expand more on the "dormant lockout facility". I'm not really sure what you are referring to.
Adding a little to question 1.
Runing the 'last' command is your best option if the history goes back far enough for you. You can use other methods like looking at the timestamp on the users .sh_history or similar, but that is unreliable. utmp stores logins via telnet/ssh/ftp etc, so it's going to be a lot more comprehensive.
You might find the following script useful if you have password expiry set. Run as root
#!/bin/sh
printf "%-8s %8s %15s %8s %8s %8s\n" "User" "Status" "Last change" "Min" "Max" "Warn"
echo "------------------------- ---------- ---------- ---------- ---------"
passwd -s $user |sort | sed -e "s/PS/Password/" -e "s/LK/Locked/" | while read user stat date min max warn
do
if [ -z "$max" ]
then
date="No change"
min=0
max=0
warn=0
else
# Convert date from US format to sensible format
date=`echo $date | awk -F/ '{print $2"/"$1"/"$3}'`
fi
[ -z "$warn" ] && warn=0
printf "%-8s %-8s %15s %8s %8s %8s\n" $user $stat "$date" $min $max $warn
done
Could you expand more on the "dormant lockout facility". I'm not really sure what you are referring to.
Adding a little to question 1.
Runing the 'last' command is your best option if the history goes back far enough for you. You can use other methods like looking at the timestamp on the users .sh_history or similar, but that is unreliable. utmp stores logins via telnet/ssh/ftp etc, so it's going to be a lot more comprehensive.
You might find the following script useful if you have password expiry set. Run as root
#!/bin/sh
printf "%-8s %8s %15s %8s %8s %8s\n" "User" "Status" "Last change" "Min" "Max" "Warn"
echo "-------------------------
passwd -s $user |sort | sed -e "s/PS/Password/" -e "s/LK/Locked/" | while read user stat date min max warn
do
if [ -z "$max" ]
then
date="No change"
min=0
max=0
warn=0
else
# Convert date from US format to sensible format
date=`echo $date | awk -F/ '{print $2"/"$1"/"$3}'`
fi
[ -z "$warn" ] && warn=0
printf "%-8s %-8s %15s %8s %8s %8s\n" $user $stat "$date" $min $max $warn
done
Hi Tintin.
Whan I said Dormant, I meant the Inactive timout, eg field nr 7 in the shadow file, and can be adjusted using the usermod command's "-f" option.
To be more clear, I allow the OS to lock out user accounts that have become dormant by setting a value. We have a rather aggressive security policy, so we set 33 days as max password age and 40 days for dormant (inactive) timeout.
When I need to quickly get a report on users, I generally use the "logins" command, like this:
logins -aox
For one specific user, use
logins -aox -l $user
The output is comma-separated so it can be easily parsed through awk -F, '....'
Whan I said Dormant, I meant the Inactive timout, eg field nr 7 in the shadow file, and can be adjusted using the usermod command's "-f" option.
To be more clear, I allow the OS to lock out user accounts that have become dormant by setting a value. We have a rather aggressive security policy, so we set 33 days as max password age and 40 days for dormant (inactive) timeout.
When I need to quickly get a report on users, I generally use the "logins" command, like this:
logins -aox
For one specific user, use
logins -aox -l $user
The output is comma-separated so it can be easily parsed through awk -F, '....'
I'd forgotten about the logins command. It's quite handy.
ASKER
Thanks for introducing me to the 'logins' command. It looks handy but I can't understand the password aging parameters. Let me post a new question on it. Thanks again.
rdashokraj:
Did you run my script? It makes the password aging options a bit easier to read.
Did you run my script? It makes the password aging options a bit easier to read.
ASKER
Tintin, Yes I used your script and it works fine. Thanks so much.
Here are some sample results.
corpwww# ./pass
User Status Last change Min Max Warn
-------------------------- ---------- ---------- ---------- --------
root Password No change 0 0 0
cobweb#./pass
User Status Last change Min Max Warn
-------------------------- ---------- ---------- ---------- --------
sysadm Password No change 0 0 0
Here are some sample results.
corpwww# ./pass
User Status Last change Min Max Warn
--------------------------
root Password No change 0 0 0
cobweb#./pass
User Status Last change Min Max Warn
--------------------------
sysadm Password No change 0 0 0
Hi all,
I also have the same situation regarding audit/security.
I ran that script, but it only give me one output,
#/sss
User Status Last change Min Max Warn
-------------------------- ---------- ---------- ---------- --------
root Password No change 0 0 0
Question:1 how can I get a full list of users off /etc/passwd?
2. we comment out some users, will this script output those users name as well?
Thanks
I also have the same situation regarding audit/security.
I ran that script, but it only give me one output,
#/sss
User Status Last change Min Max Warn
--------------------------
root Password No change 0 0 0
Question:1 how can I get a full list of users off /etc/passwd?
2. we comment out some users, will this script output those users name as well?
Thanks
markelins.
You should really open a new question.
Anyway,
1. cut -f1 -d: /etc/passwd
2. /etc/passwd does not support commenting, so your question is invalid.
You should really open a new question.
Anyway,
1. cut -f1 -d: /etc/passwd
2. /etc/passwd does not support commenting, so your question is invalid.
ASKER