HPE Community
Operating System - HP-UX
1832541 Members
4338 Online
110043 Solutions
New Discussion

security audit found weak passwords for sys, adm, hpdb, www etc

 
vz7r1x
Regular Advisor

‎08-25-2009 07:31 AM

‎08-25-2009 07:31 AM

security audit found weak passwords for sys, adm, hpdb, www etc

I ran a system audit and audit found weak passwords for many generic accounts like daemon, sys, bin. uucp, nuucp,hpdb,www etc.

I am running HPUX 11.11.

A have strong/complex passowrd scheme on the system. I do not want to change passowrd or shell for these accounts because it may affect system or performance.

How do I address the weak password issue?
0 Kudos
Reply
4 REPLIES 4
Tingli
Esteemed Contributor

‎08-25-2009 07:38 AM

‎08-25-2009 07:38 AM

Re: security audit found weak passwords for sys, adm, hpdb, www etc

I don't think you need password for daemon, sys, bin, uucp and etc. They need to be locked for the least.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎08-25-2009 07:59 AM

‎08-25-2009 07:59 AM

Re: security audit found weak passwords for sys, adm, hpdb, www etc

Shalom,

You don't. Those id's can not log in.

Take a look at the shell entry in /etc/passwd

If it can't log in, its not a security threat.

These results are a typical result of automated scripts to test security and a security auditor should have checked the shell entry and deleted them from this report.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎08-25-2009 08:12 AM

‎08-25-2009 08:12 AM

Re: security audit found weak passwords for sys, adm, hpdb, www etc

Hi:

> I ran a system audit and audit found weak passwords for many generic accounts like daemon, sys, bin. uucp, nuucp,hpdb,www etc.

Got to love those audits (that don't understand UNIX).

By "weak passwords" do you mean an "*" for these accounts? If so, then no one can login anyway! The accounts are there for root to use to run various subsystems.

An "*" in the '/etc/passwd' password field, or an "x" in the password field that points the account to '/etc/shadow' where an "*" exists instead of an encrypted password means that no one can login. There is nothing "weak" about this.

Regards!

...JRF...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎08-25-2009 08:25 AM

‎08-25-2009 08:25 AM

Re: security audit found weak passwords for sys, adm, hpdb, www etc

At my last two jobs I spent a great deal of time explaining to security auditors, internal and external this issue.

If the user can not log in, its not a threat.

Part of the security audit process is explaining simple Unix to the auditors.

Maybe there is a niche market I should be in.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.