topic Re: Valid User IDs? in Operating System - HP-UX

Valid User IDs?

Bill Brutzman — Wed, 15 Feb 2006 11:40:27 GMT

Our v10.01 HP-9000 E45 appears to have been hacked. Some files were deleted. Thus, I am trying to beef up security.

Which of the following user.ids are necessary to hp-ux? I do not recognize them...

adm bin daemon nuucp sys uucp

I am inclined to delete these users via SAM.

Suggestions are welcome.

Re: Valid User IDs?

Jeff_Traigle — Wed, 15 Feb 2006 11:48:10 GMT

Deleting system accounts is a bit dangerous. While people don't log into them, they do control ownership of numerous files throughout the system and could result in some subsystems not functioning if they don't exist. It is typically considered adequated to lock these accounts, which is how they ship standard with the OS these days. If they aren't already locked, you can issue "passwd -l" on them to lock them.

Re: Valid User IDs?

Pete Randall — Wed, 15 Feb 2006 11:49:24 GMT

Those are required for various subsystems and the accounts are locked, anyway. If you look at the password field in /etc/passwd for them, you'll note that they have an asterisk, which means you can't log into them.

Pete

Re: Valid User IDs?

Victor BERRIDGE — Wed, 15 Feb 2006 11:52:04 GMT

Hi Bill
I would not touch these account since you shoulnt be able to use them (have a * in the cripted passwd zone) e.g.
daemon:*:1:5::/:/sbin/sh
bin:*:2:2::/usr/bin:/sbin/sh
sys:*:3:3::/:
adm:*:4:4::/var/adm:/sbin/sh
uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico
lp:*:9:7::/var/spool/lp:/sbin/sh
nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico
hpdb:*:27:1:ALLBASE:/:/sbin/sh
nobody:*:-2:-2::/:
And some dont have shells...
I would configure /etc/inetd.sec, check for valid shells, limit ftp...
And look for spoofs on the box, that is look for all the files with suid root and see if there are not spoofs...

Good luck
Victor

Re: Valid User IDs?

Peter Godron — Wed, 15 Feb 2006 11:54:40 GMT

Bill,
I would not recommend deleting the accounts. Better to lock them and concentrate on servcices not required. Check in /etc/services for example for uucp.
Best start if perhaps to read more on the subject/recommendations from the forums. Using forum search should bring a good selection

Re: Valid User IDs?

Geoff Wild — Wed, 15 Feb 2006 12:00:06 GMT

Those are required.

Check for stuff in /tmp and /var/tmp - in case they put programs/back doors there.

Install bastille...and ipfilter...

Rgds...Geoff

Re: Valid User IDs?

Tom Henning — Thu, 16 Feb 2006 06:35:07 GMT

Those accounts are required but should be locked out so they cannot be used to log in with(just thought I'd join in with the gang on that one).

Another couple of information sources/tools are to download the security_patch_check tool (forget the patch number required for this one) and run it. Follow the recommendations as best you can for your system.

On my job we are also starting to use the Center for Internet Security (http://www.CISecurity.org/) benchmark and guidelines to assist in security our systems. The HP-UX guide can be a help to securing your system, although there are other guides on the net also.

Good luck!

Re: Valid User IDs?

Bill Brutzman — Thu, 16 Feb 2006 10:00:07 GMT

Thanks to those who responded !