From: <Saved by Microsoft Internet Explorer 5>
Subject: Solaris User Accounts
Date: Wed, 14 Nov 2001 09:01:26 +0100
MIME-Version: 1.0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://www.usenix.org/sage/sysadmins/solaris/solaris/accounts.html
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Solaris User Accounts</TITLE>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"Paul D. J. Vandenberg and Susan D. Wyess" =
name=3DAUTHOR>
<META content=3D"MSHTML 5.00.3315.2870" name=3DGENERATOR></HEAD>
<BODY bgColor=3D#ffffff>
<H1>Solaris User Accounts</H1>
<HR SIZE=3D3>
<FONT color=3D#8b0012>
<H3><U><A name=3Dpasswdconfig>Password Settings</U></H3></FONT>Entries =
in both of=20
the following files affect the use of passwords. The first two are =
particularly=20
critical to forcing good password discipline on a system.<BR><BR>
<BLOCKQUOTE>
  <DL>
    <DT><STRONG><CODE>/etc/default/login</CODE></STRONG>=20
    <DD>Make sure the entry <STRONG><CODE>PASSREQ=3DYES</CODE></STRONG> =
exists and=20
    is not commented out<BR><BR>
    <DT><STRONG><CODE>/etc/default/passwd</CODE></STRONG>=20
    <DD>Set <STRONG><CODE>PASSLENGTH=3D8</CODE></STRONG> to establish a =
safer=20
    minimum length for user passwords. Set to a greater length as =
required by=20
    your security policy.<BR>
    <P>Consider setting <STRONG><CODE>MAXWEEKS</CODE></STRONG> to =
implement a=20
    password aging scheme<BR></P></DD></DL></BLOCKQUOTE>[<A=20
href=3D"http://www.usenix.org/sage/sysadmins/solaris/solaris/checklist.ht=
ml#useracct">=20
Back to Checklist </A>] <FONT color=3D#8b0012>
<H3><U><A name=3Ddisable-accounts>Unnecessary =
Accounts</U></H3></FONT>The general=20
rule is to minimize the number of active accounts on your host. You =
should=20
<STRONG>always</STRONG> delete accounts such as <EM>guest</EM>&nbsp; =
&amp;=20
<EM>visitor</EM>&nbsp; because they offer crackers an easy way to use =
known or=20
newly discovered exploits to gain root access to your host. If you must =
use=20
accounts created by installation programs, change the default passwords =
for=20
these accounts.=20
<P>For Solaris 2.x, the following userids are created during =
installation, and=20
are required by the operating system. You should lock these accounts or =
<A=20
href=3D"http://www.usenix.org/sage/sysadmins/solaris/solaris/accounts.htm=
l#noshell">assign=20
an invalid shell</A> to prevent crackers from using them to log in to =
your=20
system:</P>
<UL>
  <LI>adm<BR>
  <LI>bin<BR>
  <LI>daemon<BR>
  <LI>listen<BR>
  <LI>lp<BR>
  <LI>nobody<BR>
  <LI>noaccess<BR>
  <LI>nuucp<BR>
  <LI>smtp<BR>
  <LI>sys<BR>
  <LI>uucp<BR></LI></UL>
<P>The following account is for backward compatibility and should be =
deleted=20
unless you must support access from SunOS (Solaris 1.x) systems.</P>
<UL>
  <LI>nobody4 </LI></UL>[<A=20
href=3D"http://www.usenix.org/sage/sysadmins/solaris/solaris/checklist.ht=
ml#useracct">=20
Back to Checklist </A>] <FONT color=3D#8b0012>
<H3><U><A name=3Dnoshell>Give disabled accounts an invalid=20
shell</U></H3></FONT>The operating system will prevent log in for an =
account=20
that is assigned an invalid shell. This is a good "defense in depth" =
strategy to=20
prevent crackers from using default accounts to gain access to your =
host.=20
<P>Assign the shell <CODE>/bin/true</CODE> or <CODE>/bin/false</CODE> as =
the=20
shell for accounts that should never be allowed to log in. A better =
solution is=20
to use a locally compiled version of the =
<CODE><EM>noshell</EM></CODE>&nbsp;=20
program.</P>[<A=20
href=3D"http://www.usenix.org/sage/sysadmins/solaris/solaris/checklist.ht=
ml#useracct">=20
Back to Checklist </A>] <FONT color=3D#8b0012><A name=3Dftpusers></A>
<H3><U>Prevent ftp Access With Disabled userids</U></H3></FONT>Create =
the file=20
<CODE>/etc/ftpusers</CODE> and add the following default Solaris =
accounts to the=20
file.=20
<UL>
  <LI>adm<BR>
  <LI>bin<BR>
  <LI>daemon<BR>
  <LI>listen<BR>
  <LI>lp<BR>
  <LI>nobody<BR>
  <LI>noaccess<BR>
  <LI>nobody4 (unless it was deleted)<BR>
  <LI>nuucp<BR>
  <LI>root<BR>
  <LI>smtp<BR>
  <LI>sys<BR>
  <LI>uucp<BR></LI></UL>[<A=20
href=3D"http://www.usenix.org/sage/sysadmins/solaris/solaris/checklist.ht=
ml#useracct">=20
Back to Checklist </A>] <FONT color=3D#8b0012>
<H3><U><A name=3Dfinal_checks>Final Checks</U></A></H3></FONT>
<UL>
  <LI>Verify that all who have accounts have a valid need to access the=20
  system<BR>
  <LI>Verify that access to the <EM>root</EM>&nbsp; account is =
restricted<BR>
  <BLOCKQUOTE>We recommend that no more than 3 to 4 people have access =
to the=20
    root password. Further, all authorized users should be forced to log =
in with=20
    their non-privileged userid and use <CODE>su</CODE> to access the =
root=20
    account. </BLOCKQUOTE>
  <LI>Make sure all accounts have an <CODE>x</CODE> in the password =
field in=20
  <CODE>/etc/passwd</CODE> to force the use of Solaris' shadow password =
file<BR>
  <LI>Check <CODE>/etc/shadow</CODE>to make sure disabled accounts have =
either=20
  <CODE>NP</CODE> or <CODE>*LK*</CODE> in the password field<BR>
  <LI>Check that no accounts other than root and smtp have the user id =
(UID) of=20
  0 (zero)<BR>
  <LI>Use the command <STRONG><CODE>logins -p</CODE></STRONG> to check =
for=20
  accounts that do not require a password to log in<BR>
  <LI>Check <CODE>/etc/group</CODE> for the presence of a wheel group =
(group 0).=20
  If supported, the list of users for this group should not be null=20
  <BLOCKQUOTE>Note that only those users shown in the user list for the =
wheel=20
    group will be allowed to su to root. All other users will be denied =
access,=20
    even if they enter the correct password. </BLOCKQUOTE>
  <LI>Run COPS or Tiger to verify that all default passwords have been=20
  changed<BR></LI></UL>[<A=20
href=3D"http://www.usenix.org/sage/sysadmins/solaris/solaris/checklist.ht=
ml#useracct">=20
Back to Checklist </A>] <FONT color=3D#8b0012>
<H3><U><A name=3Dpasswords>Good Passwords</A></U></H3></FONT>
<UL>
  <LI>Contain at least eight characters<BR>
  <BLOCKQUOTE>When properly derived, longer passwords are more difficult =
to=20
    guess. For maximum security, ALL passwords should contain at least =
eight (8)=20
    characters. </BLOCKQUOTE>
  <LI>Are not words in any language<BR>
  <BLOCKQUOTE>Passwords constructed from words are vulnerable to=20
    dictionary-based attacks. Tools to automate dictionary-based attacks =
are=20
    readily available making it easy for crackers to discover such =
passwords.=20
    Passwords that consist of concatenated short words (e.g. goodtime) =
or words=20
    with numbers concatenated are also vulnerable to dictionary-based =
attacks,=20
    and should be avoided.=20
    <P>One recommendation for generating secure passwords is to use the =
leading=20
    letters from poems or song lyrics, with non-alphanumeric characters =
(e.g. -,=20
    *, {, }) thrown in. This should help create a mnemonic strategy to =
make the=20
    password easy to remember, thus avoiding the need to have it written =
down in=20
    some convenient place. One should also make the constructed password =
easy to=20
    type to make it harder for <EM>shoulder surfers</EM>&nbsp; to learn =
the=20
    password by observing you as you enter it.</P></BLOCKQUOTE>
  <LI>Are changed on a regular basis<BR>
  <BLOCKQUOTE>One recommendation is to use password aging to force a =
change=20
    every 6 months. </BLOCKQUOTE></LI></UL>[<A=20
href=3D"http://www.usenix.org/sage/sysadmins/solaris/solaris/checklist.ht=
ml#useracct">=20
Back to Checklist </A>]=20
<HR SIZE=3D3>
Last Update: 1998 November 27<BR><BR></BODY></HTML>