HPE Community
Operating System - HP-UX
1820475 Members
2964 Online
109624 Solutions
New Discussion юеВ

Re: User Account Features

 
G V R Shankar
Valued Contributor

тАО04-22-2009 05:18 AM

тАО04-22-2009 05:18 AM

User Account Features

Hi All,

Could you please help me how can I acheive the following in HPUx, without any 3rd party tools.

1. After 180 days of inactivity the account should be blocked. : I am still looking for exact number
2. After 400 days of inactivity the account should be removed, logged and maintain in another data base as a record history : I am still looking for exact number

For the above 2 points, I couldn't find anything in TCB, /etc/default/security and /etc/pam.conf


Where can I get more information on the following library files related to PAM.

/usr/lib/hpux32/libpam.so.1
/usr/lib/hpux64/libpam.so.1
/usr/lib/libpam.1
/usr/lib/pa20_64/libpam.1

These libraries are being referenced in /etc/pam.conf

I am not sure what are defined in these library files.

Your help is greatly appriciated.

Thank You.

Ravi.
0 Kudos
10 REPLIES 10
Pete Randall
Outstanding Contributor

тАО04-22-2009 05:22 AM

тАО04-22-2009 05:22 AM

Re: User Account Features

Write a cron script using the finger command to extract days of inactivity and then lock/remove the account manually.


Pete

Pete
0 Kudos
Ganesan R
Honored Contributor

тАО04-22-2009 05:31 AM

тАО04-22-2009 05:31 AM

Re: User Account Features

Hi,

>>1. After 180 days of inactivity the account should be blocked. : I am still looking for exact number<<

This you can achieve by converting the system into trusted and apply the settings globally(all the users)

>>2. After 400 days of inactivity the account should be removed, logged and maintain in another data base as a record history :<<

I donot have any info to achieve this. But you can schedule a shell script in cron to do this based on the output from getprpw or other commands.
Best wishes,

Ganesh.
0 Kudos
TTr
Honored Contributor

тАО04-22-2009 05:32 AM

тАО04-22-2009 05:32 AM

Re: User Account Features

Task 1 is set up in TCB using the INACTIVITY_MAXDAYS setting. Check out the TCB fields and settings in

http://docs.hp.com/en/5992-3387/apas03.html?jumpid=reg_R1002_USEN

http://docs.hp.com/en/B2355-60130/security.4.html

You have to perform task 2 yourself via a script.

For PAM check out the man page http://docs.hp.com/en/B2355-60130/pam.3.html
and all the "see also" pages at the bottom.
0 Kudos
UVK_1
Advisor

тАО04-22-2009 05:41 AM

тАО04-22-2009 05:41 AM

Re: User Account Features

Greetings !!

Use the switch '-f 180' while creating the user using useradd that will give the functionality of disabling the user if no activity for 180 days.

Deleting can be achieved using a cron script as Pete said. Use the combination of finger and userdel.

Cheers,
uvk
0 Kudos
G V R Shankar
Valued Contributor

тАО04-22-2009 07:35 AM

тАО04-22-2009 07:35 AM

Re: User Account Features

Hi All,

Thank you for the prompt responses.

Hi Ganesan,

I request you to me to the exact option in SAM.

Hi TTr,

All my systems are trusted. As per the URL http://docs.hp.com/en/B2355-60130/security.4.html
INACTIVITY_MAXDAYS is not applicable to Trusted Systems.

Hi UVK,

I have set it for one of the users using usermod -f 180 username. Where can I see it. getprpw doesn't show any information.

Cheers,

Ravi.
0 Kudos
G V R Shankar
Valued Contributor

тАО04-23-2009 04:02 AM

тАО04-23-2009 04:02 AM

Re: User Account Features

Hi,

Could you please reply to my questions.

Ravi.
0 Kudos
Mark Fenton
Esteemed Contributor

тАО04-23-2009 04:05 PM

тАО04-23-2009 04:05 PM

Re: User Account Features

in /etc/default, you could add a 'useradd' file with a line like:

INACT 180

and then by default, when a new account is created, the lockout will be set to 180 days of inactivity.

There's also a switch for EXPIRE, but I think that just sets how many days before deactivating the account (regardless of activity).
0 Kudos
Ganesan R
Honored Contributor

тАО04-24-2009 01:05 AM

тАО04-24-2009 01:05 AM

Re: User Account Features

Hi Ravi,

>>>Hi Ganesan,

I request you to me to the exact option in SAM. <<<

Hope you are asking the trusted configuration options in SAM

SAM -> Auditing and Security -> System Security Policies -> General User Account Policies ->Enable Account Policies -> set the value here

Maximum Inactive Time (days):180

Hope this helps


Best wishes,

Ganesh.
0 Kudos
G V R Shankar
Valued Contributor

тАО04-24-2009 04:49 AM

тАО04-24-2009 04:49 AM

Re: User Account Features

Thank you Ganesan. I think I have overlooked General System policies.
0 Kudos
G V R Shankar
Valued Contributor

тАО04-27-2009 02:42 AM

тАО04-27-2009 02:42 AM

Re: User Account Features

It is in the url
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.