Are you in trusted mode? You can tell by looking to see if there are files under /tcb/files/auth If there is, then under this point, there is one character a directory for the first of each user name and within there, there is a file for each user. Look at the timestamp of the file to see the last update of it, however if it has been attacked (someone tried to use it) then this will have been updated.
Within, there are fields describing last successful login, last failed login, last password update etc. The times recorded are in seconds from 1/1/1970 00:00:00 (the Epoch) so someone here helpfully wrote this bit of Perl that reformats it to make it human readable:-
I have this as a one-line script, so I just run something like:-
Code:
$ realtime 1234567890
Fri Feb 13 23:31:30 2009
I hope that this helps. If you are not in trusted mode, then it depends if you clean out the login history files (whatever they are) Try using the last command. Read the manual pages for the options. It might be useful, maybe not. Unless you intercept and log every use of the various user admin commands (useradd, modprpw, passwd etc.) it's going to be difficult to really prove anything.
As a more general question though, are the auditors complaining that the id they used last time to probe around has been suspended? If it's more that a month since they last used it, then I think you have every right to suspend it to limit the risk of attack, in fact you could argue that it should be suspended immediately after they have finished using it.
i understand they have an important job to do, but sometimes they are the worst offenders just asking for open access whenever they want it. Enforce your standards, especially with them. It could be a test of your procedures
hi all, i m tryin to create a new account on the unix work station. do i use 'useradd' command? can u guyz advice on the usage of 'useradd' command as it can comes with 'useradd -D' or 'useradd -e'
thanks :confused: (1 Reply)
Hi, guys. I have two questions:
I need to write a script, which can show all the non-suspended users on system, and suspend the selected user account.
There are two things I am not sure:
1. How can I suspend user's account? What I think is: add a string to the encrypted password in shadow... (2 Replies)
Hi Admins,
As per my knowledge there are two types of user accounts in unix. root and normal users.
If there are any user types for which we can give some priviledges..?
Actually i want to restrict root access and create new accounts for admins with some of the priviledges.
Please let me... (6 Replies)
Hi - I want to log commands typed by oraapps user with time into some log file on runtime.
HISTTIMEFORMAT="%d/%m/%y %T " works but any one with oraapps user can delete the history.
OS : RHEl 5.6
Any help is appreciated. (5 Replies)
Discussion started by: oraclermanpt
5 Replies
LEARN ABOUT HPUX
modprpw
modprpw(1M)modprpw(1M)NAME
modprpw - modify protected password database
SYNOPSIS
username
value,... ] username
DESCRIPTION
updates the user's protected password database settings. This command is available only to the superuser in a trusted system.
Usage other than via SAM, and/or modifications out of sync with may result in serious database corruption and the inability to access the
system.
All updated values may be verified using the command. See getprpw(1M).
uses the configuration file default if is not specified. See nsswitch.conf(4).
Options
sets user's parameters as defined by the options specified. At least one option is required. If a field is not specified in the option
then its value remains unchanged in the database.
recognizes the following options:
To add a new user entry and to return a random password
which the new user must use to login the first time. This entry has to be created with the given username and the
Error is returned if the user already exists.
May be combined with the option.
Unlike the command, it does not create nor populate the home directory, and it does not update
This option is specified WITHOUT a user name to expire
all user's passwords. It goes through the protected password database and zeroes the successful change time of all users. The result
is all users will need to enter a new password at their next login.
May be combined with the option.
This option is specified with a user name to expire
the specified user's password. It zeroes the successful change time.
May be combined with the and/or options.
To unlock/enable a user's account that has become disabled,
except when the lock is due to a missing password or * password.
May be combined with the and/or options.
This option modifies data for a local user,
username. This option must be specified with other options.
Modify the database field to the specified value
and/or resets locks. Valid with one of the following options: or
A list of database fields may be used with comma as a delimiter. An "invalid-opt" is printed, and processing terminates, if a list of
database fields passed to contains an invalid database field.
Boolean values are specified as YES, NO, or DFT for system default values Numeric values are specified as positive numbers, 0, or -1.
If the -1 is specified, the numeric value in the database is removed, allowing the system default value to be used. Time values are
specified in days, although the database keeps them in seconds.
No aging is present if the following 4 database parameters are all zero:
Unless specified by all database fields can be set. They are listed below in the order shown in The database fields are fully
explained in prpwd(4).
DATABASE FIELD
database
database
Set the uid of the user. No sanity checking is done on this value.
database
database
database
Set boot authorization privilege, removes it from the user file.
database
Set audit id. Automatically limited not to exceed the next available id.
database
Set audit flag.
database
Set the minimum time interval between password changes (days). 0 = none. Same as non-trusted mode minimum time.
database
Set the maximum password length for system generated passwords.
database
Set password expiration time interval (days). 0 = not expired. Same as non-trusted mode maximum time.
database
Set password life time interval (days). 0 = infinite.
database
Modified by options maybe
database
database
Set account expiration time interval (days). This interval is added to "now" to form the value in the database
(database 0 = no expiration).
database
Set the last login time interval (days). Used with
database
Set password expiration warning time interval (days). 0 = none.
database Obsoleted field.
database
Set whether User Picks Password,
database
Set whether system generates pronounceable passwords,
database
Set if generated password is restricted, If password will be checked for triviality.
database
Set whether null passwords are allowed, is not recommended!
database Obsolescent field.
database Obsoleted field.
database
Set whether system generates passwords having characters only,
database
Set whether system generates passwords having letters only,
database
Set the time-of-day allowed for login.
The format is:
Where key has the following values:
- Monday
- Tuesday
- Wednesday
- Thursday
- Friday
- Saturday
- Sunday
- everyday
- Monday -> Friday
and Starttime and Endtime are in military format: HHMM, where:
00 <= HH <= 23, and 00 <= MM <= 59.
database
database
database
database
database
database
Set Maximum Unsuccessful Login tries allowed. 0 = infinite.
database
Set the administrator lock,
This option is specified WITHOUT a user name to
"validate/refresh" all user's passwords. It goes through the protected password database and sets the successful change time to the
current time for all users. The result is that all user's password aging restarts at the current time.
May be combined with the option.
This option is specified with a user name to
"validate/refresh" the specified user's password. It sets the successful change time to the current time.
May be combined with the and/or options.
Delete the user's password and return a random password that
the user must later supply to the login process to login and pick a new password. Not valid for root. Also resets locks.
May be combined with the option.
RETURN VALUE
0 Success.
1 User not privileged.
2 Incorrect usage.
3 Can not find the entry or file.
4 Can not change the entry.
5 Not a Trusted System.
EXAMPLES
Set the Minimum time between password changes to 12 (days), set the System generates pronounceable password flag to NO, and set the System
generates password having characters only flag to YES.
The following example is to restrict the times that user joeblow can get on the system on Mondays and Fridays to 5PM-9PM, and Sundays from
5AM-9AM. Other days are not restricted.
WARNINGS
This command is intended for SAM use only. It may change with each release and can not be guaranteed to be backward compatible.
Several database fields interact with others. Side effects may not be apparent until much later.
Special meanings may apply in the following cases:
o an absent field,
o a field without a value,
o a field with a zero value.
Very little, if any checking is done to see if values are valid. It is the user's responsibility to range check values.
HP-UX 11i Version 3 is the last release to support trusted systems functionality.
FILES
System Password file
Protected Password Database
System Defaults Database
AUTHOR
was developed by HP.
SEE ALSO getprpw(1M), prpwd(4), nsswitch.conf(4).
TO BE OBSOLETED modprpw(1M)
06-20-2013
