Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
21222324252627282930
Ensure that all users understand the security policies. Place a company security
policies file in each home directory.
Examine the /etc/passwd file or other appropriate user database for unused
accounts, and especially for users who have left the company.
Examine root accounts to see who has root access.
Consider implementing HP-UX Role-based Access Control to minimize the risks
associated with multiple users having access to the root account. For more
information, see Chapter 8.
Examine guest accounts to see how often they are used.
2.1.2 Monitoring Guest Accounts
For the highest level of security, do not allow guest or open accounts. If you do have
guest accounts, then do the following:
Change the guest password frequently. You can specify the password.
Use a restricted shell (rsh) to limit system access. For information about the rsh
command, refer to sh(1) and sh-posix(1).
Guest accounts are often forgotten. Use one of the following methods to disable the
guest account when not in use:
Use per-user security attributes to automatically disable the account after a certain
number of inactive days. For more information, refer to security(4) and see
Section 2.5.2.2.
Use the following command to lock the guest account:
# passwd -l guest
Use the following command to delete the guest account:
# userdel guest
Schedule an at job to automatically lock temporary accounts:
# at now +14 days passwd -l tempacct
Regularly scan the /var/adm/wtmp and /var/adm/sulog files to check for
unused accounts.
Refer to sh(1) and su(1) for more information.
2.1.3 Creating Application User Accounts
If users only use HP-UX to launch an application, they do not require access to a shell.
These users should only be using the application, such as a database management
system, and not need access to any HP-UX functionality.
To restrict access to HP-UX, modify the /etc/passwd file so that only a specific command
is executed after the user logs in. The /etc/passwd file contains essential information
required during login:
30 Administering User and System Security