HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Deactivated users vs Zee Auditors
Operating System - HP-UX
1834802
Members
2882
Online
110070
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2008 06:54 AM
07-10-2008 06:54 AM
Hello HP Forums !
In an ongoing effort to please the auditors we are now addressing the issue of policing the deactivated accounts on our HP-UX hosts.
We pretty much have the human accounts under control but the built-in accounts are still triggering the audit tools.
The message we get is that we have deactivated accounts on the systems and we should remove them. This is not entirely accurate since the accounts pose no threat but we are getting hit by the negative score nonetheless. Problem is those accounts were never active in the first place...
Here is what a fresh(ish) install of 11.31 looks like under truster mode.
# awk -F: '{print $1}' /etc/passwd | while read list
> do
> user=`echo $list`
> state=`/usr/lbin/getprpw -m lockout $list`
> echo $user $state
> done
root lockout=0000000
daemon lockout=0000001
bin lockout=0000001
sys lockout=0000001
adm lockout=0000001
uucp lockout=0000001
lp lockout=0000001
nuucp lockout=0000001
hpdb lockout=0000001
nobody lockout=0000001
www lockout=0000001
smbnull lockout=0000001
tftp lockout=0000001
sfmdb lockout=0000001
sshd lockout=0000001
iwww lockout=0000001
owww lockout=0000001
hpsmh lockout=0000001
ora10ge lockout=0000000
I understand that any value other than 0 in the lockout field will flag a user account as inactive. The manpage for getprpw stipulates that a value of "1" means "past password lifetime".
Although the system is in trusted mode the password expiration policies have not been enabled for these users (yet).
My guess is that a password has never been defined for these "built-in" users and that they had a "*" in the password field of /etc/passwd before the system was converted to trusted mode. Under trusted mode this situation seems to be interpreted as an expired password.
I definitely do NOT want to delete these accounts since I am sure that will result in breakage....
Here are my questions :
Are my interpretations of the lock field and user states correct ?
Can I define arbitrary, complex passwords for these built-in "users" in order to get a 0000000 in the lock field and please the auditors without adverse effects on my systems ?
Do any caveats come to mind ?
Thank you for your time !
In an ongoing effort to please the auditors we are now addressing the issue of policing the deactivated accounts on our HP-UX hosts.
We pretty much have the human accounts under control but the built-in accounts are still triggering the audit tools.
The message we get is that we have deactivated accounts on the systems and we should remove them. This is not entirely accurate since the accounts pose no threat but we are getting hit by the negative score nonetheless. Problem is those accounts were never active in the first place...
Here is what a fresh(ish) install of 11.31 looks like under truster mode.
# awk -F: '{print $1}' /etc/passwd | while read list
> do
> user=`echo $list`
> state=`/usr/lbin/getprpw -m lockout $list`
> echo $user $state
> done
root lockout=0000000
daemon lockout=0000001
bin lockout=0000001
sys lockout=0000001
adm lockout=0000001
uucp lockout=0000001
lp lockout=0000001
nuucp lockout=0000001
hpdb lockout=0000001
nobody lockout=0000001
www lockout=0000001
smbnull lockout=0000001
tftp lockout=0000001
sfmdb lockout=0000001
sshd lockout=0000001
iwww lockout=0000001
owww lockout=0000001
hpsmh lockout=0000001
ora10ge lockout=0000000
I understand that any value other than 0 in the lockout field will flag a user account as inactive. The manpage for getprpw stipulates that a value of "1" means "past password lifetime".
Although the system is in trusted mode the password expiration policies have not been enabled for these users (yet).
My guess is that a password has never been defined for these "built-in" users and that they had a "*" in the password field of /etc/passwd before the system was converted to trusted mode. Under trusted mode this situation seems to be interpreted as an expired password.
I definitely do NOT want to delete these accounts since I am sure that will result in breakage....
Here are my questions :
Are my interpretations of the lock field and user states correct ?
Can I define arbitrary, complex passwords for these built-in "users" in order to get a 0000000 in the lock field and please the auditors without adverse effects on my systems ?
Do any caveats come to mind ?
Thank you for your time !
Solved! Go to Solution.
4 REPLIES 4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2008 08:48 AM
07-10-2008 08:48 AM
Solution
Actually the position of the '1' on the accounts above indicates that they have a '*' as a password.
See the 'getprpw' man page for the position dependent meaning of the output you see.
Here's an excerpt:
lockout
returns the reason for a lockout in a "bit" valued string, where 0 = condition not present, 1 ispresent. The position, left to right represents:
1 past password lifetime
2 past last login time (inactive account)
3 past absolute account lifetime
4 exceeded unsuccessful login attempts
5 password required and a null password
6 admin lock
7 password is a *
If you wanted, you could potentially write a script to periodically change the password on these users and run a 'modprpw' to make the lockout string all 0's. However, this would be slightly LESS secure in my opinion.
If there is a password, then there is a chance, however small, that it could be cracked. With a '*' as the password there is absolutely NO CHANCE of anyone logging in as those users. The only way to become one of those users is to 'su -' as root.
The auditors need to better understand Unix security and not ding you here. But then that is the inherent problem I see with all auditors, they don't understand the stuff they are auditing.
See the 'getprpw' man page for the position dependent meaning of the output you see.
Here's an excerpt:
lockout
returns the reason for a lockout in a "bit" valued string, where 0 = condition not present, 1 ispresent. The position, left to right represents:
1 past password lifetime
2 past last login time (inactive account)
3 past absolute account lifetime
4 exceeded unsuccessful login attempts
5 password required and a null password
6 admin lock
7 password is a *
If you wanted, you could potentially write a script to periodically change the password on these users and run a 'modprpw' to make the lockout string all 0's. However, this would be slightly LESS secure in my opinion.
If there is a password, then there is a chance, however small, that it could be cracked. With a '*' as the password there is absolutely NO CHANCE of anyone logging in as those users. The only way to become one of those users is to 'su -
The auditors need to better understand Unix security and not ding you here. But then that is the inherent problem I see with all auditors, they don't understand the stuff they are auditing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2008 09:07 AM
07-10-2008 09:07 AM
Re: Deactivated users vs Zee Auditors
IMHO.. A locked account is more secure than one with a password.
Tip: When running reports for auditors, skip the mutually agreed upon system accounts. i.e. awk -F: '$3 > 99' /etc/passwd
They will then stop asking the same questions about these locked out system accounts that are required to run the OS.
Someday system auditors might be trained with knowledge on the systems they are auditing (doubt it).
Tip: When running reports for auditors, skip the mutually agreed upon system accounts. i.e. awk -F: '$3 > 99' /etc/passwd
They will then stop asking the same questions about these locked out system accounts that are required to run the OS.
Someday system auditors might be trained with knowledge on the systems they are auditing (doubt it).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2008 09:51 AM
07-10-2008 09:51 AM
Re: Deactivated users vs Zee Auditors
Shalom,
sshd is a secure account out of the box. You can't log in with it. Messing with these accounts as an example in any way risks breakage.
If your auditors are concentrating on this, they are either incompetent, trying to justify their fees in a very secure shop or some other silliness.
Don't touch the files, do a little googling and provide the auditors documentation of two things:
1) These built in accounts are delivered secure.
2) Messing with them could cost you a lot of money with broken and down systems and any auditor recommending messing with this is risking a lot.
That being said, if you are forced to play, I'm a lock advocate.
I work at a company that provides security products for cable tv. We get audited every year. This issue has never come up on the audits of any of our 500 server class boxes.
SEP
sshd is a secure account out of the box. You can't log in with it. Messing with these accounts as an example in any way risks breakage.
If your auditors are concentrating on this, they are either incompetent, trying to justify their fees in a very secure shop or some other silliness.
Don't touch the files, do a little googling and provide the auditors documentation of two things:
1) These built in accounts are delivered secure.
2) Messing with them could cost you a lot of money with broken and down systems and any auditor recommending messing with this is risking a lot.
That being said, if you are forced to play, I'm a lock advocate.
I work at a company that provides security products for cable tv. We get audited every year. This issue has never come up on the audits of any of our 500 server class boxes.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2008 11:04 AM
07-10-2008 11:04 AM
Re: Deactivated users vs Zee Auditors
Thank you all for your very relevant replies.
I was interpreting the lockout field as a binary value instead of a "bit array", thanks for clearing that up Patrick.
I agree with all comments posted. Our auditors are not technical people so they are "slaves to the audit tools" if you will but they do listen to us admins. I will be able to justify the existance of these users and I will also be able to demonstrate that they pose a negligible security risk. The existance of these accounts will be documented and that should be the end of it.
Thank you everyone !
I was interpreting the lockout field as a binary value instead of a "bit array", thanks for clearing that up Patrick.
I agree with all comments posted. Our auditors are not technical people so they are "slaves to the audit tools" if you will but they do listen to us admins. I will be able to justify the existance of these users and I will also be able to demonstrate that they pose a negligible security risk. The existance of these accounts will be documented and that should be the end of it.
Thank you everyone !
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP