Unix Computer Account Security

If your accounts are not secure, then your other steps won't help much. There is general password security as well as special steps to take for each type of account.

Password Security

You want to make sure all accounts have a non-guessable password.

To ensure that the passwords are not guessable, use crack on a regular basis. In addition, be certain that passwords are changed from time to time. Ideally, use one time passwords such as skey.

Accounts should be disabled when there are several bad logins in a row. An easy way to implement password security on HP systems is using HP's trusted system package (via SAM). This is only available if you are NOT running NIS or NIS+.

Be certain that passwords are not written down. Often people will use their license plate numbers or children's names. Unfortunately, these are easy to guess passwords. Also, they will use passwords from their favorite hobby. Have your password dictionary include checking these passwords.

Having no .netrc files strengthens security.

It is easiest to track changes and security violations when very few people who have root access, The root password needs to be a strong non-guessable password. In addition, change the root password every 3 months & whenever someone leaves company. Always logout of root shells; never leave root shells unattended.

The only place where root should be able to log onto directly should be the console (as specified in /etc/securetty). Only root should have UID 0.

Check root dot files for security holes. Aliases should have full pathnames. Root should NEVER have "." in path. The root dot files should ONLY have 700 permissions. The minimal umask for root is 022 (rwxr-xr-x). It is better to have a umask of 077 (rwx------) but often this isn't practical.

To avoid trojan horse programs, always use full pathnames. Also, never allow non-root write access to ANY directories in root's path. If possible, do not create root's tmp files in publicly writable directories.

As with any account, only create guest accounts for the time it s needed. Remove the account when its purpose is completed. Use non-standard account names for guest accounts. Do not use "guest". Instead use account names such as: "fixomni" or "oratmp".

Guest accounts should have a strong password and a restricted shell. If reasonable, give guest accounts a strong umask such as 077.

User accounts should not be shared. Remove user accounts upon termination. Disable login for well known accounts that do not need direct login access (bin,daemon,sys,uucp,lp,adm).

User accounts should have a strong password and in some cases, a restricted shell. If reasonable, give guest accounts a strong umask such as 077.