Are you in trusted mode? You can tell by looking to see if there are files under /tcb/files/auth If there is, then under this point, there is one character a directory for the first of each user name and within there, there is a file for each user. Look at the timestamp of the file to see the last update of it, however if it has been attacked (someone tried to use it) then this will have been updated.
Within, there are fields describing last successful login, last failed login, last password update etc. The times recorded are in seconds from 1/1/1970 00:00:00 (the Epoch) so someone here helpfully wrote this bit of Perl that reformats it to make it human readable:-
I have this as a one-line script, so I just run something like:-
Code:
$ realtime 1234567890
Fri Feb 13 23:31:30 2009
I hope that this helps. If you are not in trusted mode, then it depends if you clean out the login history files (whatever they are) Try using the last command. Read the manual pages for the options. It might be useful, maybe not. Unless you intercept and log every use of the various user admin commands (useradd, modprpw, passwd etc.) it's going to be difficult to really prove anything.
As a more general question though, are the auditors complaining that the id they used last time to probe around has been suspended? If it's more that a month since they last used it, then I think you have every right to suspend it to limit the risk of attack, in fact you could argue that it should be suspended immediately after they have finished using it.
i understand they have an important job to do, but sometimes they are the worst offenders just asking for open access whenever they want it. Enforce your standards, especially with them. It could be a test of your procedures
hi all, i m tryin to create a new account on the unix work station. do i use 'useradd' command? can u guyz advice on the usage of 'useradd' command as it can comes with 'useradd -D' or 'useradd -e'
thanks :confused: (1 Reply)
Hi, guys. I have two questions:
I need to write a script, which can show all the non-suspended users on system, and suspend the selected user account.
There are two things I am not sure:
1. How can I suspend user's account? What I think is: add a string to the encrypted password in shadow... (2 Replies)
Hi Admins,
As per my knowledge there are two types of user accounts in unix. root and normal users.
If there are any user types for which we can give some priviledges..?
Actually i want to restrict root access and create new accounts for admins with some of the priviledges.
Please let me... (6 Replies)
Hi - I want to log commands typed by oraapps user with time into some log file on runtime.
HISTTIMEFORMAT="%d/%m/%y %T " works but any one with oraapps user can delete the history.
OS : RHEl 5.6
Any help is appreciated. (5 Replies)
Discussion started by: oraclermanpt
5 Replies
LEARN ABOUT OSX
pwpolicy
pwpolicy(8) BSD System Manager's Manual pwpolicy(8)NAME
pwpolicy -- gets and sets password policies
SYNOPSIS
pwpolicy [-h]
pwpolicy [-v] [-a authenticator] [-p password] [-u username | -c computername] [-n nodename] command command-arg
pwpolicy [-v] [-a authenticator] [-p password] [-u username | -c computername] [-n nodename] command "policy1=value1 policy2=value2 ..."
DESCRIPTION
pwpolicy manipulates password policies.
Options
-a name of the authenticator
-c name of the computer account to modify
-p password (omit this option for a secure prompt)
-u name of the user account to modify
-n use a specific directory node; the search node is used by default.
-v verbose
-h help
Commands
-getglobalpolicy Get global policies
-setglobalpolicy Set global policies
-getpolicy Get policies for a user
--get-effective-policy Gets the combination of global and user policies that apply to the user.
-setpolicy Set policies for a user
-setpolicyglobal Set a user account to use global policies
-setpassword Set a new password for a user. Non-administrators can use this command to change their own passwords.
-enableuser Enable a user account that was disabled by a password policy event.
-disableuser Disable a user account.
-getglobalhashtypes Returns the default list of password hashes stored on disk for this system.
-setglobalhashtypes Edits the default list of password hashes stored on disk for this system.
-gethashtypes Returns a list of password hashes stored on disk for a user account.
-sethashtypes Edits the list of password hashes stored on disk for a user account.
-0 through -7 Shortcuts for the above commands (in order).
Global Policies
usingHistory 0 = user can reuse the current password, 1 = user cannot reuse the current password, 2-15 = user cannot re-
use the last n passwords.
usingExpirationDate If 1, user is required to change password on the date in expirationDateGMT
usingHardExpirationDate If 1, user's account is disabled on the date in hardExpireDateGMT
requiresAlpha If 1, user's password is required to have a character in [A-Z][a-z].
requiresNumeric If 1, user's password is required to have a character in [0-9].
expirationDateGMT Date for the password to expire, format must be: mm/dd/yy
hardExpireDateGMT Date for the user's account to be disabled, format must be: mm/dd/yy
validAfter Date for the user's account to be enabled, format must be: mm/dd/yy
maxMinutesUntilChangePassword user is required to change the password at this interval
maxMinutesUntilDisabled user's account is disabled after this interval
maxMinutesOfNonUse user's account is disabled if it is not accessed by this interval
maxFailedLoginAttempts user's account is disabled if the failed login count exceeds this number
minChars passwords must contain at least minChars
maxChars passwords are limited to maxChars
Additional User Policies
isDisabled If 1, user account is not allowed to authenticate, ever.
isAdminUser If 1, this user can administer accounts on the password server.
newPasswordRequired If 1, the user will be prompted for a new password at the next authentication. Applications that do not support
change password will not authenticate.
canModifyPasswordforSelf If 1, the user can change the password.
Stored Hash Types
CRAM-MD5 Required for IMAP.
RECOVERABLE Required for APOP and WebDAV. Only available on Mac OS X Server edition.
SALTED-SHA512-PBKDF2 The default for loginwindow.
SALTED-SHA512 Legacy hash for loginwindow.
SMB-NT Required for compatibility with Windows NT/XP file sharing.
SALTED-SHA1 Legacy hash for loginwindow.
SHA1 Legacy hash for loginwindow.
EXAMPLES
To get global policies:
pwpolicy -getglobalpolicy
To set global policies:
pwpolicy -a authenticator -setglobalpolicy "minChars=4 maxFailedLoginAttempts=3"
To get policies for a specific user account:
pwpolicy -u user -getpolicy
pwpolicy -u user -n /NetInfo/DefaultLocalNode -getpolicy
To set policies for a specific user account:
pwpolicy -a authenticator -u user -setpolicy "minChars=4 maxFailedLoginAttempts=3"
To change the password for a user:
pwpolicy -a authenticator -u user -setpassword newpassword
To set the list of hash types for local accounts:
pwpolicy -a authenticator -setglobalhashtypes SMB-LAN-MANAGER off SMB-NT on
SEE ALSO PasswordService(8)Mac OS X Server 13 November 2002 Mac OS X Server
06-20-2013
