topic Re: Prevent direct login (su only) in Operating System - HP-UX

Prevent direct login (su only)

Gary L. Paveza, Jr. — Thu, 29 May 2003 16:26:35 GMT

Does anyone have an scripts that they use to prevent direct login by a user ID? We need to have user IDs (such as oracle), but not allow users to login to these IDs (they are to be forced to su). Currently, I had a hack in the /etc/profile file to do this, but due to auditing, I think I'm better off replacing the shell of the user with a script which does this. Anyone have an example of such a script to keep me from reinventing the wheel? Thanks in advance.

Re: Prevent direct login (su only)

Bill Douglass — Thu, 29 May 2003 17:17:46 GMT

One way is to install sudo on your system (get the package from http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.6/),
and set up your /etc/sudoers file like so:

USER_ALIAS ORACLE = user1, user2

ORACLE ALL = /usr/bin/su - oracle

Then, any of the users you have listed in the ORACLE USER_ALIAS can get a login shell as oracle by typing in:

sudo su - oracle

Set the password field in /etc/passwd to "*" to disable login access to the oracle account.

Re: Prevent direct login (su only)

Robert-Jan Goossens — Thu, 29 May 2003 17:56:48 GMT

Hi,

Take a look at this question.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x7924cbaac6dcd5118ff40090279cd0f9,00.html

Kind regards,

Robert-Jan.

Re: Prevent direct login (su only)

Chris Vail — Fri, 30 May 2003 15:56:50 GMT

I've attached a document that answers this very question. It has a lot of hardening steps.
(It also irritates the DBA's!)

Chris

Re: Prevent direct login (su only)

Jordan Bean — Fri, 30 May 2003 17:10:34 GMT

In /etc/profile or /etc/csh.login include a quick hack that terminates the shell if the $(logname) matches a list of restricted users.

/etc/profile:

tty -s && grep -q $(logname) /etc/login.deny && exit 0

As of patch bundle March 2003, the logname command fails for ttys using the pts driver (ssh). The tels driver is okay (telnet). So you may also concider testing the ownership of the tty:

tty -s && grep -q $(id -un) /etc/login.deny && test -O $(tty) && exit 0

Re: Prevent direct login (su only)

Jordan Bean — Fri, 30 May 2003 17:13:40 GMT

What did your security auditor say about doing this the system login profile?

Re: Prevent direct login (su only)

Suhas_2 — Sat, 31 May 2003 13:15:34 GMT

Hi,
Alternatively, you may wish to use "PowerBroker" software from Symark.
www.symark.com/powerbroker.htm

This will allow you to delegate these privileges to other users. It will authenticate the end-user. It will help to keep an Audit Trail of the activity carried out.

Hope this helps.

Regards...
Suhas

Have a look at this link.
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x0af4585fae8bd711abdc0090277a778c,00.html

Re: Prevent direct login (su only)

Gary L. Paveza, Jr. — Mon, 02 Jun 2003 17:00:10 GMT

Auditors would ideally like to see something that would show up in /etc/passwd, not /etc/profile. So I'm going to be writing a script which basically prevents login. That should allow su to function. Just a matter of hardening it up really well.