HPE Community
Operating System - HP-UX
1834089 Members
2713 Online
110063 Solutions
New Discussion

Re: Valid User IDs?

 
SOLVED
Go to solution
Bill Brutzman
Frequent Advisor

‎02-15-2006 03:40 AM

‎02-15-2006 03:40 AM

Valid User IDs?

Our v10.01 HP-9000 E45 appears to have been hacked. Some files were deleted. Thus, I am trying to beef up security.

Which of the following user.ids are necessary to hp-ux? I do not recognize them...

adm bin daemon nuucp sys uucp

I am inclined to delete these users via SAM.

Suggestions are welcome.
0 Kudos
7 REPLIES 7
Jeff_Traigle
Honored Contributor

‎02-15-2006 03:48 AM

‎02-15-2006 03:48 AM

Re: Valid User IDs?

Deleting system accounts is a bit dangerous. While people don't log into them, they do control ownership of numerous files throughout the system and could result in some subsystems not functioning if they don't exist. It is typically considered adequated to lock these accounts, which is how they ship standard with the OS these days. If they aren't already locked, you can issue "passwd -l" on them to lock them.
--
Jeff Traigle
0 Kudos
Pete Randall
Outstanding Contributor

‎02-15-2006 03:49 AM

‎02-15-2006 03:49 AM

Re: Valid User IDs?

Those are required for various subsystems and the accounts are locked, anyway. If you look at the password field in /etc/passwd for them, you'll note that they have an asterisk, which means you can't log into them.


Pete

Pete
0 Kudos
Victor BERRIDGE
Honored Contributor

‎02-15-2006 03:52 AM

‎02-15-2006 03:52 AM

Re: Valid User IDs?

Hi Bill
I would not touch these account since you shoulnt be able to use them (have a * in the cripted passwd zone) e.g.
daemon:*:1:5::/:/sbin/sh
bin:*:2:2::/usr/bin:/sbin/sh
sys:*:3:3::/:
adm:*:4:4::/var/adm:/sbin/sh
uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico
lp:*:9:7::/var/spool/lp:/sbin/sh
nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico
hpdb:*:27:1:ALLBASE:/:/sbin/sh
nobody:*:-2:-2::/:
And some dont have shells...
I would configure /etc/inetd.sec, check for valid shells, limit ftp...
And look for spoofs on the box, that is look for all the files with suid root and see if there are not spoofs...

Good luck
Victor
0 Kudos
Peter Godron
Honored Contributor

‎02-15-2006 03:54 AM

‎02-15-2006 03:54 AM

Re: Valid User IDs?

Bill,
I would not recommend deleting the accounts. Better to lock them and concentrate on servcices not required. Check in /etc/services for example for uucp.
Best start if perhaps to read more on the subject/recommendations from the forums. Using forum search should bring a good selection
0 Kudos
Geoff Wild
Honored Contributor

‎02-15-2006 04:00 AM

‎02-15-2006 04:00 AM

Re: Valid User IDs?

Those are required.

Check for stuff in /tmp and /var/tmp - in case they put programs/back doors there.

Install bastille...and ipfilter...

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Tom Henning
Trusted Contributor

‎02-15-2006 10:35 PM

‎02-15-2006 10:35 PM

Solution

Re: Valid User IDs?

Those accounts are required but should be locked out so they cannot be used to log in with(just thought I'd join in with the gang on that one).

Another couple of information sources/tools are to download the security_patch_check tool (forget the patch number required for this one) and run it. Follow the recommendations as best you can for your system.

On my job we are also starting to use the Center for Internet Security (http://www.CISecurity.org/) benchmark and guidelines to assist in security our systems. The HP-UX guide can be a help to securing your system, although there are other guides on the net also.

Good luck!
What is it that possesses otherwise sane individuals to change something just because it has not been changed in a while?
0 Kudos
Bill Brutzman
Frequent Advisor

‎02-16-2006 02:00 AM

‎02-16-2006 02:00 AM

Re: Valid User IDs?

Thanks to those who responded !
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.