topic Re: Block user accounts in Operating System - HP-UX

Block user accounts

Arunabha Banerjee — Wed, 07 Sep 2011 14:50:45 GMT

I need one urgent information. How to block user accounts who has not logged in to the server last 6 months in HP-UX 11i (on both Trusted and non-Trusted) system. I don't want to execute command manually (like passwd -l username). Please advise ...

Re: Block user accounts

Pete Randall — Wed, 07 Sep 2011 16:03:56 GMT

Describing your system as 11i leaves a range of options - like 11.11, 11.23, 11.31, and more. I would suggest you look at man (4) security, particularly the inactivity_maxdays parameter. In 11.11, at least, this parameter only applies to non-trusted systems. If you have a more current release then your mileage may vary.

Re: Block user accounts

Pete Randall — Wed, 07 Sep 2011 16:08:27 GMT

Oops! Glad I double checked. The man page I looked at was for 11.31.

In the case of trusted systems, I would suggest that you take note of the fact that trusted systems are deprecated as of 11.31 and you should probably be looking into the shadow password feature instead.

Re: Block user accounts

James R. Ferguson — Wed, 07 Sep 2011 16:21:08 GMT

Hi:

Pete's comments (including the deprecation of Trusted Systems) are the same ones I would make. I too would establish (at least where you can), the 'INACTIVITY_MAXDAYS' in '/etc/default/security'.

In order to "clean up" users without recent activity, consider running 'last' and parsing out a list of users who haven't logged in or are absent from the underlying '/var/adm/wtmp' file which would mean that they have never logged in during the file's coverage period. You might find that converting '/var/adm/wtmp' to its ASCII counterpart, which exposes Epoch dates, more useful:

# /usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp

Once you enumerate the users who haven't looged-in recently, a simple script to lock those accounts should be something any sysadmin could write.

Regards!

...JRF...