Solved

AIX minage & maxage & rlogin  in default & indiv ids

Posted on 2016-09-27
6
27 Views
Last Modified: 2016-11-01
In /etc/security/user,  we have
default:
      admin = false
      login = true
      su = false
      daemon = true
      rlogin = true
        . . .
      minage = 1
      maxage = 8
      mindiff = 3
      maxrepeats = 2
      dictionlist =
      pwdchecks =

oracle:
      minage = 0
      maxage = 0

infrauser1:
      minage = 0
      maxage = 0

sshuser:
      admin = false
      maxage = 0

infrauser2:
      minage = 0
      maxage = 0


Q1:
For infrauser1 & 2, shouldn't the minage=1 & maxage=8 to match with the default & security best practice?

Q2:
with min & maxage=0, for these 2 infra users, do these settings override the system default's minage=1 & maxage=8 ?

Q3:
For oracle account, what's the best/secure practice out there?  min & maxage=0 ?

Q4:
for sshuser used to do sftp, what's the best/secure practice out there?  min & maxage=0 ?
0
Comment
Question by:sunhux
  • 4
  • 2
6 Comments
 
LVL 20

Accepted Solution

by:
tfewster earned 500 total points (awarded by participants)
ID: 41819002
Q1: Yes, it should match your security policy (I assume the defaults reflect that policy)
Q2: Yes, it should match your security policy
Q3: It should match your security policy
Q4: It should match your security policy

I know this is a simplistic view, but it's best security practice. If it's merely inconvenient for the DBAs to change the oracle password, that's not a good enough reason - You can do a great deal of damage with the oracle ID, so it has to be properly managed. Even better, make the DBAs log in with individual IDs and give those IDs sudo rights to switch to the oracle id.

If the other accounts are configured in multiple endpoints, e.g. scripts, that can make it harder to manage.  But you need to know the procedure to change those passwords (including updating any login scripts). Then you can start to enforce regular rotation at a convenient time of day BEFORE the password actually expires.

Also consider using ssh keys instead of passwords, to you can keep better control of access without having to distribute passwords.

Of course, it also depends on how sensitive these accounts are. If the sftp user can't  do much apart from get/put non-sensitive files, you can grant an exception in that case - e.g. change the password less often (but still keep track of who/where it is used)
0
 

Author Comment

by:sunhux
ID: 41819039
Need to clarify on what's "Yes" esp for the following 2 :

Q2:
 with min & maxage=0, for these 2 infra users, do these settings override the system default's minage=1 & maxage=8 ?
 So in the case of our infrauser1 & 2, our setting of 0 is not adhering to best practice?

 Q3:
 For oracle account, what's the best/secure practice out there?  min & maxage=0 ?
 So it should be 1 & 7 respectively according to our security policy?
0
 

Author Comment

by:sunhux
ID: 41819073
Miss 1 item which was in the subject of the 1st posting:

In the same /etc/security/user,
default:          
                rlogin = true  

Shouldn't rlogin be set to  'false' as rlogin doesn't require password & keys ?
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 20

Assisted Solution

by:tfewster
tfewster earned 500 total points (awarded by participants)
ID: 41820940
Apologies, I missed some of the points
Q2: Yes, individual settings override the system default, so these accounts are not compliant with your standard policy (I assume the defaults section settings match company policy, I'm pretty sure they've been tweaked from the settings on a fresh system install)

Q3: Yes, 1 and 8 (or just remove the "overrides") to match company policy. If you plan to change the password every 7 weeks, it will never expire. Even it does expire, cron jobs etc. will continue to run - only the login will be disabled.

The rlogin setting refers to remote login capability with rlogin/rsh/rexec AND telnet, so if you don't use those protocols any more then set rlogin=false. ssh/sftp and standard ftp will not be affected.
0
 
LVL 20

Expert Comment

by:tfewster
ID: 41842559
Hi sunhux - I'm happy to discuss this further if you want to.

EE prompted me to close the question and award myself points which seems a bit unethical - If you want it deleted, I have no objections!

Regards,
tfewster
0
 
LVL 20

Expert Comment

by:tfewster
ID: 41868053
No further responses from user
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
NTP Server in VMware 5 159
Trident and Apple iOS upgrade 2 85
Ransome Ware Question 10 138
Is this error real? 2 48
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now