A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.
AIX minage & maxage & rlogin in default & indiv ids
In /etc/security/user, we have
default:
admin = false
login = true
su = false
daemon = true
rlogin = true
. . .
minage = 1
maxage = 8
mindiff = 3
maxrepeats = 2
dictionlist =
pwdchecks =
oracle:
minage = 0
maxage = 0
infrauser1:
minage = 0
maxage = 0
sshuser:
admin = false
maxage = 0
infrauser2:
minage = 0
maxage = 0
Q1:
For infrauser1 & 2, shouldn't the minage=1 & maxage=8 to match with the default & security best practice?
Q2:
with min & maxage=0, for these 2 infra users, do these settings override the system default's minage=1 & maxage=8 ?
Q3:
For oracle account, what's the best/secure practice out there? min & maxage=0 ?
Q4:
for sshuser used to do sftp, what's the best/secure practice out there? min & maxage=0 ?
default:
admin = false
login = true
su = false
daemon = true
rlogin = true
. . .
minage = 1
maxage = 8
mindiff = 3
maxrepeats = 2
dictionlist =
pwdchecks =
oracle:
minage = 0
maxage = 0
infrauser1:
minage = 0
maxage = 0
sshuser:
admin = false
maxage = 0
infrauser2:
minage = 0
maxage = 0
Q1:
For infrauser1 & 2, shouldn't the minage=1 & maxage=8 to match with the default & security best practice?
Q2:
with min & maxage=0, for these 2 infra users, do these settings override the system default's minage=1 & maxage=8 ?
Q3:
For oracle account, what's the best/secure practice out there? min & maxage=0 ?
Q4:
for sshuser used to do sftp, what's the best/secure practice out there? min & maxage=0 ?
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Need to clarify on what's "Yes" esp for the following 2 :
Q2:
with min & maxage=0, for these 2 infra users, do these settings override the system default's minage=1 & maxage=8 ?
So in the case of our infrauser1 & 2, our setting of 0 is not adhering to best practice?
Q3:
For oracle account, what's the best/secure practice out there? min & maxage=0 ?
So it should be 1 & 7 respectively according to our security policy?
Q2:
with min & maxage=0, for these 2 infra users, do these settings override the system default's minage=1 & maxage=8 ?
So in the case of our infrauser1 & 2, our setting of 0 is not adhering to best practice?
Q3:
For oracle account, what's the best/secure practice out there? min & maxage=0 ?
So it should be 1 & 7 respectively according to our security policy?
Miss 1 item which was in the subject of the 1st posting:
In the same /etc/security/user,
default:
rlogin = true
Shouldn't rlogin be set to 'false' as rlogin doesn't require password & keys ?
In the same /etc/security/user,
default:
rlogin = true
Shouldn't rlogin be set to 'false' as rlogin doesn't require password & keys ?
Apologies, I missed some of the points
Q2: Yes, individual settings override the system default, so these accounts are not compliant with your standard policy (I assume the defaults section settings match company policy, I'm pretty sure they've been tweaked from the settings on a fresh system install)
Q3: Yes, 1 and 8 (or just remove the "overrides") to match company policy. If you plan to change the password every 7 weeks, it will never expire. Even it does expire, cron jobs etc. will continue to run - only the login will be disabled.
The rlogin setting refers to remote login capability with rlogin/rsh/rexec AND telnet, so if you don't use those protocols any more then set rlogin=false. ssh/sftp and standard ftp will not be affected.
Q2: Yes, individual settings override the system default, so these accounts are not compliant with your standard policy (I assume the defaults section settings match company policy, I'm pretty sure they've been tweaked from the settings on a fresh system install)
Q3: Yes, 1 and 8 (or just remove the "overrides") to match company policy. If you plan to change the password every 7 weeks, it will never expire. Even it does expire, cron jobs etc. will continue to run - only the login will be disabled.
The rlogin setting refers to remote login capability with rlogin/rsh/rexec AND telnet, so if you don't use those protocols any more then set rlogin=false. ssh/sftp and standard ftp will not be affected.
Hi sunhux - I'm happy to discuss this further if you want to.
EE prompted me to close the question and award myself points which seems a bit unethical - If you want it deleted, I have no objections!
Regards,
tfewster
EE prompted me to close the question and award myself points which seems a bit unethical - If you want it deleted, I have no objections!
Regards,
tfewster
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
Q2: Yes, it should match your security policy
Q3: It should match your security policy
Q4: It should match your security policy
I know this is a simplistic view, but it's best security practice. If it's merely inconvenient for the DBAs to change the oracle password, that's not a good enough reason - You can do a great deal of damage with the oracle ID, so it has to be properly managed. Even better, make the DBAs log in with individual IDs and give those IDs sudo rights to switch to the oracle id.
If the other accounts are configured in multiple endpoints, e.g. scripts, that can make it harder to manage. But you need to know the procedure to change those passwords (including updating any login scripts). Then you can start to enforce regular rotation at a convenient time of day BEFORE the password actually expires.
Also consider using ssh keys instead of passwords, to you can keep better control of access without having to distribute passwords.
Of course, it also depends on how sensitive these accounts are. If the sftp user can't do much apart from get/put non-sensitive files, you can grant an exception in that case - e.g. change the password less often (but still keep track of who/where it is used)