Solved

Checking password policy on our AIX's server

Posted on 2010-11-10
15
6,687 Views
Last Modified: 2013-11-17
Hi

I have configure on all our AIX servers the default policy password on the Default: stanza in /etc/security/user

default:
        admin = false
        login = true
        su = false
        daemon = true
        rlogin = true
        sugroups = system
        admgroups =
        ttys = ALL
        auth1 = SYSTEM
        auth2 = NONE
        tpath = nosak
        umask = 022
        expires = 0
        SYSTEM = "compat"
        logintimes =
        pwdwarntime = 5
        account_locked = false
        loginretries = 3
        histexpire = 26
        histsize = 20
        minage = 4
        maxage = 13
        maxexpired = -1
        minalpha = 2
        minother = 2
        minlen = 8
        mindiff = 4
        maxrepeats = 8
        dictionlist =
        pwdchecks =
        dce_export = false

Question:

1- I need a script which verifies that this default policy will be the correct password policy on the server, maybe it shows thee differences (if any).
2- Show if any password's user policy doesn't match this below config.

The fact is I already setup correctly this policy on all servers but I need to check them with this script from time to time.
Thanks
0
Comment
Question by:sminfo
  • 7
  • 6
  • 2
15 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 34101131
OK,
let's see what we can do here.
I think we will need the commands "lssec" and "lsuser" here. Best run them as root.
1)
On a host which is set up correctly, you should create a "prototype" file containing all your settings, like
lssec -f /etc/security/user -s default -a ALL | tr " " "\n" > my_default_user_policy
Once this has been done, you can do
ssh hostname lssec -f /etc/security/user -s default -a ALL | tr " " "\n" > my_hostname_user_policy
and
diff my_default_user_policy my_hostname_user_policy
All the above put together in a script, using variables and doing cleanup afterwards should do the trick for (1).
2) is a bit unclear to me.
Do you want to scan remote password files and check every user? If so, you should reduce the number of attributes to the relevant ones, because lsuser gives more output than lssec, and we will have to make it compatible.
Basically you
would do
ATTR="minage maxage minalpha minother"
ATTRS=$(for a in $ATTR; do echo "-a $a \c"; done)
First, the prototype
lssec -f /etc/security/user -s default $ATTRS
And the particular user -
lsuser -a $ATTR username
We can again create two files, make them compatible with a bit of sed or tr, to then run the diff.
But please tell me beforehand if I got you right and if this is actually what you desire.
wmp
 
0
 

Author Comment

by:sminfo
ID: 34101568
Hi wmp,

I think both solutions are fine for me.. what I'm looking for is for a cron to alert me if someone changes this default config, or if someone change its own config in  /etc/security/user. Maybe mixing the above info I could make some script which run everyday..

Israel.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 34102192
Hi,
why not audit /etc/security/user? The event S_USER_WRITE is meant for this purpose!
Anyway, your first requirement should be just straightforward. Run the below on a well-configured host -

#!/bin/ksh
lssec -f /etc/security/user -s default -a ALL | tr " " "\n" > /tmp/my_default_user_policy  
HOSTS="host1 host2 host3"
for host in $HOSTS
  do
    ssh $host lssec -f /etc/security/user -s default -a ALL | tr " " "\n" > /tmp/my_${host}_user_policy  
    diff  /tmp/my_default_user_policy   /tmp/my_${host}_user_policy >/dev/null
    if [[ $? -ne 0 ]]
      then
        mail -s "default policy on $host changed" sminfo@domain.tld <  /tmp/my_${host}_user_policy  
      else
        rm  /tmp/my_${host}_user_policy
     fi  
  done  
The second one - if we intend to employ lsuser for this, you must define a subset of attributes! As I said, the outputs of lssec and lsuser are unfortunately not fully compatible!

#!/bin/ksh
ATTR="your desired attributes separated with a space"
ATTRS=$(for a in $ATTR; do echo "-a $a \c"; done)
lssec -f /etc/security/user -s default  $ATTRS | tr " " "\n" > /tmp/my_default_selected_policy  
HOSTS="host1 host2 host3"
for host in $HOSTS
  do
    USERLIST=$(ssh $host "awk -F: '{print \$1}' /etc/passwd")
    for user in $USERLIST
      do
      ssh $host lsuser -a $ATTR $user | tr " " "\n" > /tmp/my_${user}_${host}_selected_policy  
      diff  /tmp/my_default_selected_policy   /tmp/my_${user}_${host}_selected_policy   >/dev/null
         if [[ $? -ne 0 ]]
           then
           mail -s "User $user policy on $host changed" sminfo@domain.tld <  /tmp/my_${user}_${host}_selected_policy    
         else
          rm /tmp/my_${user}_${host}_selected_policy  
        fi  
     done
  done
 
I didn't have the time to test the scripts - in fact I wrote them nearly out of memory, so they're only there to show you how it could be done. Most probably there is still a lot of work to be done until they will actually do what you want.
 
wmp
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 34102235
The second script is missing two important things
lssec -f /etc/security/user -s default  $ATTRS | tr " " "\n" | tail +2 > /tmp/my_default_selected_policy
and    

 ssh $host lsuser -a $ATTR $user | tr " " "\n" | tail +2 > /tmp/my_${user}_${host}_selected_policy  
The first line containing either "default" or the username must be stripped, else the diff will not work, obviously.
 
0
 
LVL 5

Expert Comment

by:balasundaram_s
ID: 34103416
Am I missing something?  This default user attributes cannot be changed by any user except root.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 34103513
... or members of the security group.
0
 

Author Comment

by:sminfo
ID: 34103724
yes,  only administrators can  change this file, but we're 8 admins here :-), from low-level-admin to high-level-admin, so, they gave me the task to secure all servers and I'm trying to do it. I've done some scripts to report users, passwd policies issues, files, folders permissions, etc etc etc. This is script is part of this security.

Wmp, I'm testing now.. I'll let you know when finish.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 5

Expert Comment

by:balasundaram_s
ID: 34104233
AIX Security Expert is a system security hardening tool. It is part of the bos.aixpert fileset. You might want to take a look.
0
 

Author Comment

by:sminfo
ID: 34109829
wmp,
ok, for now, I think I'll use option 1, only check global configuration of the default config. but I will run the code locally on every server.

I run "lssec -f /etc/security/user -s default -a ALL | tr " " "\n" > /tmp/my_real_default_user_policy" but I don't want to read the my_default_user_policy   from another file, is it possible to insert the data from my_default_user_policy  into your code, or something like this:

echo "\033[0;32mDefault user policy\033[m"
echo "---------------------------------------------"

def="HERE I HAVE TO ADD THE LINES FROM THE FILE /ETC/SECURITY/USER"
lssec -f /etc/security/user -s default -a ALL | tr " " "\n" > /tmp/my_real_default_user_policy
sdiff -s $def /tmp/my_real_default_user_policy

NOTEL: I used sdiff -s to only show the difference.

Thanks
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 34109956
Unfortunately this won't work.
sdiff as well as diff can only compare files, but neither variables nor streams.
wmp
0
 

Author Closing Comment

by:sminfo
ID: 34110098
well, I did that:

echo "\033[0;32mConfiguracion de la politica de seguridad de usuarios y passwords\033[m"
echo "Parametros incorrectos     Parametros correctos"
echo "----------------------------------------------------------------"
echo "default
login=true
su=false
rlogin=true
daemon=true
admin=false
sugroups=system
admgroups=
tpath=nosak
ttys=ALL
expires=0
auth1=SYSTEM
auth2=NONE
umask=22
logintimes=
loginretries=3
pwdwarntime=5
account_locked=false
SYSTEM=\"compat\"
registry=
minage=4
maxage=13
maxexpired=-1
minalpha=2
minother=2
mindiff=4
maxrepeats=8
minlen=8
histexpire=26
histsize=20
pwdchecks=
dictionlist=
dce_export=false
maxulogs=
uactivity=
utocount=
capabilities=
auth_name=
auth_domain=
hostsallowedlogin=
hostsdeniedlogin=
rcmds=
core_compress=
core_path=
core_pathname=
core_naming=
core_name=
default_roles=
domains=">/tmp/my_default_user_policy

lssec -f /etc/security/user -s default -a ALL | tr " " "\n" > /tmp/my_real_default_user_policy

sdiff -s /tmp/my_default_user_policy /tmp/my_real_default_user_policy

if [[ $? == 0 ]]; then echo "\033[0;32mCONFIGURACION CORRECTA\033[m"
else
echo "\033[0;41mCONFIGURACION INCORRECTA, ARREGLAR EL fichero /etc/security/user\033[m"
fi

Thanks!
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 34110120
OK, looks good!
Did you actually write the default policy file by hand? You could have created it (even "on the fly") on a "good" system, as I suggested.
Thx for the points!
Cheers
wmp
0
 

Author Comment

by:sminfo
ID: 34110527
Yes, I edit the fiile server by server.. how can I do it "on the fly"?

Thanks.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 34110606
You could do it on the fly on a system which is going to be checked by pulling it "ad hoc" from a "good" reference system -
ssh root@good_system 'lssec -f /etc/security/user -s default -a ALL | tr " " "\n"' > /tmp/my_good_default_user_policy  

0
 

Author Comment

by:sminfo
ID: 34110645
Yeap, got it.. have a nice day....:-)

0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now