System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

security audit found weak passwords for sys, adm, hpdb, www etc

vz7r1x
Regular Advisor

security audit found weak passwords for sys, adm, hpdb, www etc

I ran a system audit and audit found weak passwords for many generic accounts like daemon, sys, bin. uucp, nuucp,hpdb,www etc.

I am running HPUX 11.11.

A have strong/complex passowrd scheme on the system. I do not want to change passowrd or shell for these accounts because it may affect system or performance.

How do I address the weak password issue?
4 REPLIES
Tingli
Esteemed Contributor

Re: security audit found weak passwords for sys, adm, hpdb, www etc

I don't think you need password for daemon, sys, bin, uucp and etc. They need to be locked for the least.
Steven E. Protter
Exalted Contributor

Re: security audit found weak passwords for sys, adm, hpdb, www etc

Shalom,

You don't. Those id's can not log in.

Take a look at the shell entry in /etc/passwd

If it can't log in, its not a security threat.

These results are a typical result of automated scripts to test security and a security auditor should have checked the shell entry and deleted them from this report.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
James R. Ferguson
Acclaimed Contributor

Re: security audit found weak passwords for sys, adm, hpdb, www etc

Hi:

> I ran a system audit and audit found weak passwords for many generic accounts like daemon, sys, bin. uucp, nuucp,hpdb,www etc.

Got to love those audits (that don't understand UNIX).

By "weak passwords" do you mean an "*" for these accounts? If so, then no one can login anyway! The accounts are there for root to use to run various subsystems.

An "*" in the '/etc/passwd' password field, or an "x" in the password field that points the account to '/etc/shadow' where an "*" exists instead of an encrypted password means that no one can login. There is nothing "weak" about this.

Regards!

...JRF...
Steven E. Protter
Exalted Contributor

Re: security audit found weak passwords for sys, adm, hpdb, www etc

At my last two jobs I spent a great deal of time explaining to security auditors, internal and external this issue.

If the user can not log in, its not a threat.

Part of the security audit process is explaining simple Unix to the auditors.

Maybe there is a niche market I should be in.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com