Administrator's Guide
2 Administering User and System Security
This chapter addresses basic user security after the operating system is installed. It focuses
on logins, passwords, and other user interactions with the system. The following topics
are discussed:
• Managing user access (Section 2.1)
• Authenticating users during login (Section 2.2)
• Authenticating users with PAM (Section 2.3)
• Managing passwords (Section 2.4)
• Defining system security attributes (Section 2.5)
• Handling setuid and setgid programs (Section 2.6)
• Preventing stack buffer overflow attacks (Section 2.7)
• Protecting unattended terminals and workstations (Section 2.8)
• Protecting against system access by remote devices (Section 2.9)
• Securing login banners (Section 2.10)
• Protecting the root account (Section 2.11)
2.1 Managing User Access
Authorized users gain access to the system by supplying a valid user name (login name)
and password. Each user is defined by an entry in the /etc/passwd file. Use the HP
System Management Homepage (HP SMH) to add, remove, deactivate, reactivate, or
modify a user account.
For more information about passwords, refer to passwd(4), passwd(1), and see
Section 2.4 in this document.
2.1.1 Monitoring User Accounts
Following are guidelines for monitoring user accounts:
• Regularly examine the output from the last, lastb, and who commands for unusual
logins.
• Verify that all users with accounts have a legitimate business need to access the
system.
• Be alert for multiple users sharing the same user account. Do not allow two users to
share the same user account.
• Verify that no user accounts share the same user ID (UID).
• Ensure that all accounts have secure passwords that change regularly.
• Verify that all user home directories have the appropriate permissions. Most home
directories have read access but no write access to other users. For better protection,
set the read, write, and execute permissions for the directory owner only.
2.1 Managing User Access 29