Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
41424344454647484950
Solaris 9 Security CX-310-301 46
This prompts the user to enter a password twice.
Note: Setting the EEPROM password should not be done lightly because it cannot be reset easily if
forgotten and could render the system useless. The EEPROM device would have to be removed and
reprogrammed – this must be done by Sun Microsystems.
File and System Resources Protection
This section is concerned with user accounts and how to protect them from intruders, as well as restricting
access to files and the root account. It also describes Role Based Access Control (RBAC) allowing
privileged functions to be carried out by regular users, without having to reveal the root password. Also, in
this section, there is a brief discussion of Pluggable Authentication Modules (PAM) and Kerberos.
User Account Protection
User accounts and passwords are probably the most vulnerable to an attacker, so they should be guarded
closely to make sure you are not leaving the front door open to your systems. This section looks at the ways
in which user accounts can be better protected.
Checking for Duplicate Accounts
One tactic of the attacker is to create a user account with the same UID as an existing account, sometimes
to make a clone of the root account. As an example, I have created a dummy account with the username
roothack and a UID of 0, which gives this user the same privileges as the root user. Use the logins
command to detect duplicate accounts as shown here:
# logins -d
root 0 other 1 Super-User
roothack 0 other 1
A duplicate user account cannot be created using the useradd program, because the UID is already in use, it
has to be created manually.
The only scenario where a duplicate account can possibly be considered is where more than one user needs
to do the same thing and would otherwise have to share a single user account – but that would breach most,
if not all, security policies. By far a better solution would be to use Role Based Access Control (RBAC) to
create a role and then assign multiple users to the role. This would maintain consistency and still retain
accountability, providing the ability to audit and log the actions carried out by each user.
Expiring Accounts
User accounts can be expired in three ways: