> 1) Extract a recent report of user ids that do not have a specific owners assigned.
While there is no perfect answer, the easiest answer is that any userID that does not have a user name that is a known employee would fall into this class. So here are 'standard' owner-less logins:
lp
daemon
bin
sys
uucp
www
and so on. Now you have to defend the existence of these owner-less userIDs. That's easy: every Unix system requires administration IDs such as lp. If the userID is removed then a subsystem may break. If the auditor wants an owner for these administrative IDs, then tell them they are managed by the system administrators.
Now removing former employee logins or temporary logins requires a company policy. It is certainly possible that removing a userID and all the files they owned could have serious results -- most high security companies require that no account or user files be removed. Instead, all automated tools and scripts must be examined for validity or disabled.
> 2) Assign owners to these userids
Assign the root sysadmins to the accounts. But this is nothing but paperwork. The auditors are focusing on logins, not functionality.
> 3) Extract a recent report of user ids that have UID of 0
> 4) Ensure that only Root has a UID of 0.
Actually, both requirements can be met with one command:
logins -d
This should be a cron job for any secure system. What logins -d produces is a list of any UID that appears more than once, or nothing when there are no duplicate user IDs. This is regardless of whether they are UID 0 or some other UID. You don't want any duplicate UIDs. Many admins will create backdoors with a special login with UID 0. But this is exactly what a hacker would want and the point behind the auditor requirement. This poor technique is eliminated with tools such as sudo.
Bill Hassell, sysadmin
