Tip

Solaris Web services security: Disabling and removing unnecessary accounts

Disable or Remove Unnecessary Accounts
For Solaris, the following userids are created during installation, and are required by the operating system. You should lock these accounts or assign an invalid shell such as /bin/false to prevent hackers from using them to log in to your system:

adm
bin
daemon
listen
lp
nobody
noaccess
nuucp
root
smtp
sys
uucp

Make Sure Disabled User Accounts Are Given an Invalid Shell
Solaris will not log in for an account that is assigned an invalid shell. This is a good "defense in depth" strategy to prevent hackers from using default accounts to gain access to your host.

Assign the shell /bin/true or /bin/false as the shell for accounts that should never be allowed to log in. A better solution is to use a locally compiled version of the noshell (http://www.fish.com/titan/src1/noshell.c) program.

Closeout FTP Access to Disable User Accounts
Create the file /etc/ftpusers and add the following default Solaris accounts to the file.

adm
bin
daemon
listen
lp
nobody
noaccess
nuucp
root
smtp
sys
uucp

Review User Accounts for Configuration Errors
- Verify that all who have accounts have a valid need to access the system.
- Verify that access to the root account is restricted.
- Make sure all accounts have an x in the password field in /etc/passwd

    Requires Free Membership to View

to force the use of Solaris' shadow password file.
- Check /etc/shadow to make sure disabled accounts have either NP or *LK* in the password field.
- Make sure /etc/shadow is owned by root and the file permissions are rw-------.
- Check that no accounts other than root and smtp have UID of 0.
- Use the command logins -p to check for accounts that do not require a password to log in.
- Check /etc/group for the presence of a wheel group (group 0). If supported, the list of users for this group should not be null.
- Note that only those users shown in the user list for the wheel group will be allowed to su to root. All other users will be denied access, even if they enter the correct password.
- Run COPS or similar programs to verify that all default passwords have been changed.


In this 12-part tip Unix expert Gary Smith breaks down the process of building and maintaining a highly secure Web services architecture on the Solaris platform.

Table of contents:
Part 1: Isolate the Web services host server
Part 2: Install and configure a very basic operating system
Part 3: Force the use of su to gain root access
Part 4: Disable trusted host relationships and create a warning banner
Part 5: Configuring user accounts
Part 6: Disabling and removing unnecessary accounts
Part 7: Configure network access control
Part 8: Configure network services
Part 9: Install OpenSSH, disable NFS and reboot
Part 10: Set file permissions
Part 11: Test the configuration
Part 12: Conclusion

This was first published in October 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.