Unix Computer Account Security
If your accounts are not secure, then your other steps won't help much. There is general password security as
well as special steps to take for each type of account.
Password Security
You want to make sure all accounts have a non-guessable password.
To ensure that the passwords are not guessable, use crack on a regular basis. In addition, be certain that
passwords are changed from time to time. Ideally, use one time passwords such as skey.
Accounts should be disabled when there are several bad logins in a row. An easy way to implement password
security on HP systems is using HP's trusted system package (via SAM). This is only available if you are NOT
running NIS or NIS+.
Be certain that passwords are not written down. Often people will use their license plate numbers or
children's names. Unfortunately, these are easy to guess passwords. Also, they will use passwords from their
favorite hobby. Have your password dictionary include checking these passwords.
Having no .netrc files strengthens security.
Root Accounts
It is easiest to track changes and security violations when very few people who have root access, The root
password needs to be a strong non-guessable password. In addition, change the root password every 3 months
& whenever someone leaves company. Always logout of root shells; never leave root shells unattended.
The only place where root should be able to log onto directly should be the console (as specified in
/etc/securetty). Only root should have UID 0.
Check root dot files for security holes. Aliases should have full pathnames. Root should NEVER have "." in
path. The root dot files should ONLY have 700 permissions. The minimal umask for root is 022 (rwxr-xr-x). It is
better to have a umask of 077 (rwx------) but often this isn't practical.
To avoid trojan horse programs, always use full pathnames. Also, never allow non-root write access to ANY
directories in root's path. If possible, do not create root's tmp files in publicly writable directories.
Guest Accounts
As with any account, only create guest accounts for the time it s needed. Remove the account when its
purpose is completed. Use non-standard account names for guest accounts. Do not use "guest". Instead use
account names such as: "fixomni" or "oratmp".
Guest accounts should have a strong password and a restricted shell. If reasonable, give guest accounts a
strong umask such as 077.
User Accounts
User accounts should not be shared. Remove user accounts upon termination. Disable login for well known
accounts that do not need direct login access (bin,daemon,sys,uucp,lp,adm).
User accounts should have a strong password and in some cases, a restricted shell. If reasonable, give guest
accounts a strong umask such as 077.
|