We help IT Professionals succeed at work.

Finding dormant/ unauthorized user in accounts solaris

rdashokraj
rdashokraj asked
on
2,878 Views
Last Modified: 2013-12-21
Hi Folks,

I have to do a security audit in Solaris production servers; in which one of audit read like this:

"Check for dormant and unauthorized accounts. Review the accounts in /etc/passwd files.  Review, investigate, and results documented for any accounts that have had no logins for the past 90 days or accounts still present from terminated employees".

My queries are as follows:

1) How can I check whether a particular account is active and how can I find the last time the user logged in?
2) How can I ensure whether an account is a normal one or it has some administrative previlage?
3) I have an entry like this in passwd file "zzzzzz:x:60002:60002:special crontab account:/:/dev/null".  What it represents? How can i ensure that this account is harmless?


Thanks,
Ashok
Comment
Watch Question

Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Hi jhartzen, Thanks for your wonderful explanation. With this input, I'm going to modify our Spec on Security Audit and include your explanation. The answers for the questions 2 & 3 are very comprehensive. Thanks a lot again :)

CERTIFIED EXPERT
Top Expert 2007

Commented:
jhartzen.

Could you expand more on the "dormant lockout facility".  I'm not really sure what you are referring to.

Adding a little to question 1.

Runing the 'last' command is your best option if the history goes back far enough for you.  You can use other methods like looking at the timestamp on the users .sh_history or similar, but that is unreliable.  utmp stores logins via telnet/ssh/ftp etc, so it's going to be a lot more comprehensive.

You might find the following script useful if you have password expiry set.  Run as root

#!/bin/sh
printf "%-8s  %8s  %15s  %8s  %8s %8s\n" "User" "Status" "Last change" "Min" "Max" "Warn"
echo "----------------------------------------------------------------"
passwd -s $user |sort | sed -e "s/PS/Password/" -e "s/LK/Locked/" | while read user stat date min max warn
do
  if [ -z "$max" ]
  then
     date="No change"
     min=0
     max=0
     warn=0
  else
     # Convert date from US format to sensible format
     date=`echo $date | awk -F/ '{print $2"/"$1"/"$3}'`
  fi

  [ -z "$warn" ] && warn=0

  printf "%-8s  %-8s  %15s  %8s  %8s %8s\n" $user $stat "$date" $min $max $warn
done

Commented:
Hi Tintin.
Whan I said Dormant, I meant the Inactive timout, eg field nr 7 in the shadow file, and can be adjusted using the usermod command's "-f" option.

To be more clear, I allow the OS to lock out user accounts that have become dormant by setting a value.  We have a rather aggressive security policy, so we set 33 days as max password age and 40 days for dormant (inactive) timeout.

When I need to quickly get a report on users, I generally use the "logins" command, like this:
logins -aox

For one specific user, use
logins -aox -l $user

The output is comma-separated so it can be easily parsed through awk -F, '....'




CERTIFIED EXPERT
Top Expert 2007

Commented:
I'd forgotten about the logins command.  It's quite handy.

Author

Commented:
Thanks for introducing me to the 'logins' command. It looks handy but I can't understand the password aging parameters. Let me post a new question on it. Thanks again.
CERTIFIED EXPERT
Top Expert 2007

Commented:
rdashokraj:

Did you run my script?  It makes the password aging options a bit easier to read.

Author

Commented:
Tintin, Yes I used your script and it works fine. Thanks so much.

Here are some sample results.

corpwww# ./pass
User        Status      Last change       Min       Max     Warn
----------------------------------------------------------------
root      Password        No change         0         0        0

cobweb#./pass
User        Status      Last change       Min       Max     Warn
----------------------------------------------------------------
sysadm    Password        No change         0         0        0

Hi all,

I also have the same situation regarding audit/security.

I ran that script, but it only give me one output,

#/sss
User        Status      Last change       Min       Max     Warn
----------------------------------------------------------------
root      Password        No change         0         0        0

Question:1 how can I get a full list of users off /etc/passwd?
2. we comment out some users, will this script output those users name as well?

Thanks
CERTIFIED EXPERT
Top Expert 2007

Commented:
markelins.

You should really open a new question.

Anyway,

1.  cut -f1 -d: /etc/passwd

2.  /etc/passwd does not support commenting, so your question is invalid.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.