Solved

user permissions report on *nix servers

Posted on 2013-06-12
7
577 Views
Last Modified: 2013-06-28
How can you determine what permissions each local user account on a *nix server has? In this case I am interested in a AIX IBM SYstem. I can see a list of users in \etc\password, but how can you marry that up to what permissions they have over the System.

On a Windows Server you typically have local groups, i.e. administrators, power users, users, backup operators etc. Is the concept similar in *nix systems? If so which are the more powerful groups/type of user to be concious about?
0
Comment
Question by:pma111
7 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 167 total points
ID: 39240700
Run

id username

This will show the user's ID, their primary group as well as the group set the user belongs to.

"Powerful" groups are "system", "sys", "bin" and "security", but none of these groups will give its members full superuser ("root") privileges.
Only the user with ID "0" (= root) has those privileges.
0
 
LVL 3

Author Comment

by:pma111
ID: 39240713
Thanks, is there no way to run one command to list out all users and there groups (as there are quite a few), also is there anyway  to see an accounts "status", i.e. assume like windows servers you can have an active or disabled account status?
0
 
LVL 3

Author Comment

by:pma111
ID: 39240726
Would also be useful to see if there is a last login timestamp associated with accounts to help identify stale / unused accounts? Would an account that hasnt logged in in some time indicate a stale accounts, or can accounts exist that are used for purposes other than logging in to the server.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39240748
lsuser -a time_last_login username

Time is in seconds since epoch.

Convert it (example 1371036583) with

perl -we ‘print(my $time = localtime 1371036583, “\n”)’


There are system accounts which never log in, like daemon, esaadmin, pconsole etc.
0
 
LVL 21

Assisted Solution

by:Mazdajai
Mazdajai earned 167 total points
ID: 39240972
You can use last to determine last login.

Can you clarify what are you trying to achieve?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39240998
To answer your question in #39240713:

lsuser -fa pgrp groups account_locked ALL

or in one line per user

lsuser -a pgrp groups account_locked ALL

Run

lsuser -f root

to see all available attributes.
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 166 total points
ID: 39242860
Actually list of users is in /etc/security/passwd
/etc/passwd is a decoration generated by SMIT for POSIX compatibility

I think you need some crash course in UNIX basics
step 1)
instal AIX manuals (bos.rte.man) from AIX CDs You will not get anywhere without those
1a) if you dont have CDs cough up 50$ and order them from IBM
step 2)
make usable server out of debian or netbsd (to learn some commands) virtualbox and vmware are good.
step3)
learn to press F6 in smit/smitty (and read manuals after)

As you learn you can stroll through
https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_5.3-6.1_Benchmark_v1.0.0.pdf
and http://redbooks.ibm.com/
to gradually secure your system
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now