Hp-UX User Access Control

User Access Control

Tight controls must be maintained on user’s accounts. You should only have accounts on a system that are necessary for the applications that are running.

Restrict root login to just the console. User must use su to login as root.

____ /usr/bin/touch /etc/securetty
____ /usr/bin/echo console > /etc/securetty
____ /usr/bin/chmod 400 /etc/securetty

Enable password history and password reuse. On a trusted systems, the system administrator can enable the password history feature to discourage users from reusing previous passwords

____ /usr/bin/touch /etc/default/security
____ /usr/bin/echo "PASSWORD_HISTORY_DEPTH=10" > /etc/default/security
____ /usr/bin/chown bin:bin /etc/default/security
____ /usr/bin/chmod 444 /etc/default/security

Lock all "pseudo-accounts", including uucp, lp, nnucp, sys, hpdb and www. These are logins that are not associated with individual users and do not have true interactive shells. They are in the password file because they are owners of files.

____ /usr/bin/vi /etc/passwd and change the default shell to /dev/null
____ Lock accounts using /usr/bin/passwd –l
____ Remove any files in /var/spool/cron/crontabs except for root
____ Remove any files in /var/spool/cron/atjobs except for root

Ensure that root is the only login that has access to run crontab and at commands

____ /usr/bin/echo root > /var/admin/cron/cron.allow
____ /usr/bin/echo root > /var/adm/cron/at.allow
____ /usr/bin/chmod 400 /var/adm/cron/cron.allow
____ /usr/bin/chmod 400 /var/adm/cron/at.allow
____ /usr/bin/rm /var/adm/cron/cron.deny
____ /usr/bin/rm /var/adm/cron/at.deny

Restrict ftp access. At a minimum all logins with uid < 100 should not be able to ftp. Also add any other logins that do not need to ftp to /etc/ftpd/ftpusers.

____ /usr/bin/touch /etc/ftpd/ftpusers
____ /usr/bin/chown root:root /etc/ftpd/ftpusers
____ /usr/binchmod 600 /etc/ftpd/ftpusers
____ Add administrative logins to /etc/ftpd/ftpusers

for names in root, daemon, bin, sys and adm

echo $names >> /etc/ftpd/ftpusers

done

Check for /etc/hosts.equiv, ~/.netrc and ~/.rhost files. The existence of these files can allow selected users to be granted password-free access to a system. There shouldn’t be any of these files on your system. But if you have a need for them, check that they are not world-writeable and that there is no + in them. A + means the system will trust all other systems. You can use the following command to search for these files. You should run this command periodically and review the output.

____ /usr/bin/find / $ -name .rhosts –o –name .netrc –o -name hosts.equiv $ -exec ls -ldb {} \; -exec more {} \;

If you are still running inetd and are allowing ftp access you will want to log ftp access to /var/adm/syslog/syslog.log and change the default umask to 022.

____/usr/bin/vi /etc/inetd.conf
____ Add –l and –umask –22 to ftpd

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -umask 022

Add umask 022 and TMOUT to /etc/profile. Umask 022 will restrict file permissions. TMOUT will limit how long a session can set idle. But remember these can be easily overwritten in ~/.profile.

____ /usr/bin/vi /etc/profile
____ insert umask 022
____ insert TMOUT=1800 (TMOUT is in seconds)

Statutory Warnings

Add a warning message that machine is for authorized use only and that all activity is subject to monitoring. It is believed that having such a warning, could aid in the prosecution of any computer crimes involving that machine. You should however, consult with legal counsel about the wording of the message. The following is an example of one such message.

This system is the property of the Company ABC. All activities on this system are subject to monitoring for illegal or unauthorized activity.

Anyone using this system expressly consents to such monitoring and is advised that if monitoring reveals possible improper or criminal activity, system personnel may provide the evidence of such monitoring to authorities.

____ /usr/bin/touch /etc/issue
____ /usr/bin/touch /etc/motd.
____ /usr/bin/chown root:root /etc/issue
____ /usr/bin/chown root:sys /etc/motd
____ /usr/bin/chmod 644 /etc/issue
____ /usr/bin/chmod 644 /etc/motd
____ copy warning message to /etc/issue and /etc/motd
____ /usr/bin/vi /etc/inetd.conf *
____ add –b /etc/issue to the end of the telnetd

telnet stream tcp nowait root /usr/lbin/telnetd telnetd -b /etc/issue

* This is assuming you’re running inetd. If not, disregard this step.

Technical Help

Please find our other blogs which related to technical and devotional. We are a team grabing information from technical support forms where many issues solved by real time experianced people in the support forums. most of the issues are fixed by our best fallowers. Our team is working in top MNC companies located in all over India in different technolagies, here we share real time issues and help documents. like Troubleshooting steps, documentation, whitepapers, SOP's and many more, .

Any one can contribute here with your real time issues, though it help to others to find and fix before they fight with support folks.

Technical Help

Hp-UX User Access Control

Related Posts

No comments