topic system user id in Operating System - HP-UX

system user id

Animesh Chakraborty — Thu, 04 Apr 2002 02:16:19 GMT

hi,
I need to explain our auditors why these ids exists in our unix box and some of them like daemon,hpdb got .rhost file in their home directory with permission 644.

daemon:*:1:5::/:/sbin/sh
bin:*:2:2::/usr/bin:/sbin/sh
sys:*:3:3::/:
adm:*:4:4::/var/adm:/sbin/sh
uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico
lp:*:9:7::/var/spool/lp:/sbin/sh
nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico
hpdb:*:27:1:ALLBASE:/:/sbin/sh

Anybody got better explanation to convince them?

Thanks in Advance
Animesh

Re: system user id

Michael Tully — Thu, 04 Apr 2002 02:32:10 GMT

Hi Animesh,

The /.rhosts file would only be used by
root. You should actually move root's home
dir to /root if not already. It is a BIG
security hole having a .rhosts file for root anyway. If possible get rid of it.

The other accounts are part of the operating
system.

lp is required for the spooler subsystem
daemon, bin, sys, adm are used by other
OS subsystems, uucp for ttys for modems etc

-Michael

Re: system user id

Michael Tully — Thu, 04 Apr 2002 02:35:49 GMT

One other thing:

Seeing that these accounts don't have passwords
and can't be logged into directly, they are
fairly safe anyway.

Something I've learnt over the years with
auditors, is do not volunteer information....
Sometimes it is better to baffle them with BS

-Michael

Re: system user id

A. Clay Stephenson — Thu, 04 Apr 2002 02:40:58 GMT

Hi:

A few of these could probably be removed if you are not using the facilities:

If you are not running the ALLBASE database, hpdb can go. If you are using no uucp facilities including cu then uucp and nuucp can go as well. The others should remain. In order for lp to work and especially remote lp, those users and generally that particular uid (and gid) must exist. The user daemon must exist for several daemons including grmd. The user adm is required for accounting and wtmp is normally owned by this user.

Re: system user id

harry d brown jr — Thu, 04 Apr 2002 02:46:49 GMT

If your auditors don't know why they are there, then why are they auditing you? Would you let your grocery store clerk perform open heart surgery on you? How I love auditors that are without a clue. Give them a quarter and have them call someone that knows a little about unix.

I've posted this before, but I think it needs to be repeated (forever):

I once had an "auditing" firm tell my client, a billion+ dollar bank, that they should remove all editors, and I was called, and I agreed that it is possible and I instructed them on how to do such.

A Day later, I was called and asked if we could remove the source code. Not a problem!

Another Day Later I was called and asked if we could remove the compilers. Again I agreed and led the way.

Again, another day later, I was called and asked if we could remove some other "STUFF". Now, I was getting sick and tired of the insanity, so I called the president and a few vp's of the Bank on a conference call with the auditor. I told the auditor that I could honor his request to remove the OBJECT code, and that I could do one better by removing the OPERATING SYSTEM and any references to the banks data. Needless to say, the auditing firm was fired for being completely idiotic and non-computer literate.

here's a good paper on building a bastion host:

http://people.hp.se/stevesk/bastion.html

live free or die
harry