Authorized users gain access to the system by supplying
a valid user name (login name) and password. Each user is defined
by an entry in the /etc/passwd file. Use the
HP System Management Homepage (HP SMH) to add, remove, deactivate,
reactivate, or modify a user account.
For more information about passwords, refer to passwd(4), passwd(1), and see Section in this document.
Monitoring User Accounts
Following are guidelines for monitoring user accounts:
Regularly examine the output from the last, lastb, and who commands for
Verify that all users with accounts have a legitimate
business need to access the system.
Be alert for multiple users sharing the same user
account. Do not allow two users to share the same user account.
Verify that no user accounts share the same user ID
Ensure that all accounts have secure passwords that
Verify that all user home directories have the appropriate
permissions. Most home directories have read access but no write access
to other users. For better protection, set the read, write, and execute
permissions for the directory owner only.
Ensure that all users understand the security policies.
Place a company security policies file in each home directory.
Examine the /etc/passwd file
or other appropriate user database for unused accounts, and especially
for users who have left the company.
Examine root accounts to see who has root access.
Consider implementing HP-UX Role-based Access Control
to minimize the risks associated with multiple users having access
to the root account. For more information, see Chapter 9.
Examine guest accounts to see how often they are used.
Monitoring Guest Accounts
For the highest level of security, do not allow
guest or open accounts. If you do have guest accounts, then do the
Change the guest password frequently. You can specify
Use a restricted shell (rsh) to
limit system access. For information about the rsh command, refer to sh(1) and sh-posix(1).
Guest accounts are often forgotten. Use one of the
following methods to disable the guest account when not in use:
Use per-user security attributes to automatically
disable the account after a certain number of inactive days. For more
information, refer to security(4) and see Section .
Use the following command to lock the guest account:
Use the following command to delete the guest account:
Schedule an at job to automatically
lock temporary accounts:
# at now +14 days passwd -l tempacct
Regularly scan the /var/adm/wtmp and /var/adm/sulog files to check for unused
Refer to sh(1) and su(1) for more information.
Creating Application User Accounts
If users only use HP-UX to launch an application,
they do not require access to a shell. These users should only be
using the application, such as a database management system, and not
need access to any HP-UX functionality.
To restrict access to HP-UX, modify the /etc/passwd file so that only a specific command is executed
after the user logs in. The /etc/passwd file
contains essential information required during login:
Typically, the login program is a shell, such as /bin/sh, but it does not have to be a shell. You can create
a captive account—an account that logs a user directly into
an application—by identifying the application as the login shell.
Following is an example of restricting a user
to run only the date command. The /etc/passwd entry is:
username:rc70x.4,sx2:20:1:run only date command:/home/date:/usr/bin/date
At the login prompt, a user enters username and the appropriate password. The date command is executed and then the user is immediately
Tue Nov 14 18:38:38 PDT 2006
Managing Group Accounts
When a group has to share or have access to project-related
files, follow these steps to ensure security:
that each member has an entry in /etc/passwd.
an entry for the group in the /etc/group file.
a shared directory for the group.
drwxrwx-- root project /home/projects
umask in each group member's ~/.profile.
In the following example, users in the group can read, write, and
execute files, but no one else can:
umask u=rwx,g=rwx, o=