Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 2 Administering User and System Security

Managing User Access


Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

Authorized users gain access to the system by supplying a valid user name (login name) and password. Each user is defined by an entry in the /etc/passwd file. Use the HP System Management Homepage (HP SMH) to add, remove, deactivate, reactivate, or modify a user account.

For more information about passwords, refer to passwd(4), passwd(1), and see Section  in this document.

Monitoring User Accounts

Following are guidelines for monitoring user accounts:

  • Regularly examine the output from the last, lastb, and who commands for unusual logins.

  • Verify that all users with accounts have a legitimate business need to access the system.

  • Be alert for multiple users sharing the same user account. Do not allow two users to share the same user account.

  • Verify that no user accounts share the same user ID (UID).

  • Ensure that all accounts have secure passwords that change regularly.

  • Verify that all user home directories have the appropriate permissions. Most home directories have read access but no write access to other users. For better protection, set the read, write, and execute permissions for the directory owner only.

  • Ensure that all users understand the security policies. Place a company security policies file in each home directory.

  • Examine the /etc/passwd file or other appropriate user database for unused accounts, and especially for users who have left the company.

  • Examine root accounts to see who has root access.

  • Consider implementing HP-UX Role-based Access Control to minimize the risks associated with multiple users having access to the root account. For more information, see Chapter 9.

  • Examine guest accounts to see how often they are used.

Monitoring Guest Accounts

For the highest level of security, do not allow guest or open accounts. If you do have guest accounts, then do the following:

  • Change the guest password frequently. You can specify the password.

  • Use a restricted shell (rsh) to limit system access. For information about the rsh command, refer to sh(1) and sh-posix(1).

  • Guest accounts are often forgotten. Use one of the following methods to disable the guest account when not in use:

    • Use per-user security attributes to automatically disable the account after a certain number of inactive days. For more information, refer to security(4) and see Section .

    • Use the following command to lock the guest account:

      # passwd -l guest
    • Use the following command to delete the guest account:

      # userdel guest
  • Schedule an at job to automatically lock temporary accounts:

    # at now +14 days passwd -l tempacct
  • Regularly scan the /var/adm/wtmp and /var/adm/sulog files to check for unused accounts.

Refer to sh(1) and su(1) for more information.

Creating Application User Accounts

If users only use HP-UX to launch an application, they do not require access to a shell. These users should only be using the application, such as a database management system, and not need access to any HP-UX functionality.

To restrict access to HP-UX, modify the /etc/passwd file so that only a specific command is executed after the user logs in. The /etc/passwd file contains essential information required during login:

  • User name

  • Encrypted password

  • User ID

  • Group ID

  • Comment field

  • Home directory

  • Login program

Typically, the login program is a shell, such as /bin/sh, but it does not have to be a shell. You can create a captive account—an account that logs a user directly into an application—by identifying the application as the login shell.

Following is an example of restricting a user to run only the date command. The /etc/passwd entry is:

username:rc70x.4,sx2:20:1:run only date command:/home/date:/usr/bin/date

At the login prompt, a user enters username and the appropriate password. The date command is executed and then the user is immediately logged out.



Tue Nov 14 18:38:38 PDT 2006

Managing Group Accounts

When a group has to share or have access to project-related files, follow these steps to ensure security:

  1. Verify that each member has an entry in /etc/passwd.

  2. Create an entry for the group in the /etc/group file.

  3. Create a shared directory for the group.

    drwxrwx-- root project /home/projects

  4. Set the umask in each group member's ~/.profile. In the following example, users in the group can read, write, and execute files, but no one else can:

    umask u=rwx,g=rwx, o=

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.