User account


 
Thread Tools Search this Thread
Operating Systems HP-UX User account
# 1  
Old 06-18-2013
User account

I need to check actual date a user was disabled on my HP-UX server.

Audit is claiming the user account was active during the last audit exercise.
# 2  
Old 06-18-2013
if you do not get better suggestions ...

look at time stamp of affected server's /etc/passwd file first to see last modification date. if after audit date, have somebody restore a copy of the /etc/passwd file from the date of the audit to confirm prsence of specific account.
# 3  
Old 06-20-2013
We would need to know a bit more on your architecture, (paltform, OS and version, using shadow? ot TCB?) and the context
Quote:
Audit is claiming the user account was active during the last audit exercise.
What was the audit doing?
I saw cases (audit...) with active intrusion attempts, resulting in some users account to be disabled...
So you would have to explain what is the claim... ( and kind of disablement...)
# 4  
Old 06-20-2013
Are you in trusted mode? You can tell by looking to see if there are files under /tcb/files/auth If there is, then under this point, there is one character a directory for the first of each user name and within there, there is a file for each user. Look at the timestamp of the file to see the last update of it, however if it has been attacked (someone tried to use it) then this will have been updated.

Within, there are fields describing last successful login, last failed login, last password update etc. The times recorded are in seconds from 1/1/1970 00:00:00 (the Epoch) so someone here helpfully wrote this bit of Perl that reformats it to make it human readable:-
Code:
perl -e 'print scalar localtime $ARGV[0],"\n" ' $1

I have this as a one-line script, so I just run something like:-
Code:
$ realtime 1234567890 
Fri Feb 13 23:31:30 2009


I hope that this helps. If you are not in trusted mode, then it depends if you clean out the login history files (whatever they are) Try using the last command. Read the manual pages for the options. It might be useful, maybe not. Unless you intercept and log every use of the various user admin commands (useradd, modprpw, passwd etc.) it's going to be difficult to really prove anything.


As a more general question though, are the auditors complaining that the id they used last time to probe around has been suspended? If it's more that a month since they last used it, then I think you have every right to suspend it to limit the risk of attack, in fact you could argue that it should be suspended immediately after they have finished using it.

i understand they have an important job to do, but sometimes they are the worst offenders just asking for open access whenever they want it. Enforce your standards, especially with them. It could be a test of your procedures Smilie




Robin
Liverpool/Blackburn
UK
This User Gave Thanks to rbatte1 For This Post:
# 5  
Old 06-20-2013
having my fill of audit requests, the issue is more likely the auditors saw an account of a terminated employee still active when they last did their audit. since auditors ask for copies of the user-related security files (i.e., /etc/passwd, etc/group, etc.) during an audit, they are able to correlate the listed users with currently active employees/consultants so any account that stands out needs to be reviewed.
# 6  
Old 06-20-2013
Yeah, yeah, yeah. Often just a pain with technicalities. perhaps they should just be happy that an account has been suspended, unless they want to match it to a notice about someone leaving and date it to quantify the risk for the time between leaving and the suspend date.

Any luck with files under /tcb/files/auth giving you dates? I think you can configure accounts to lock if unused automatically. Add that to the last successful login and you may have an answer for them.



Good luck!

Robin
# 7  
Old 06-20-2013
unfortunately, compliance requirements obligate us to remove user accounts of terminated employees as soon as notified. we may not like what audit does but we are stuck with them.
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

User account logging

Hi - I want to log commands typed by oraapps user with time into some log file on runtime. HISTTIMEFORMAT="%d/%m/%y %T " works but any one with oraapps user can delete the history. OS : RHEl 5.6 Any help is appreciated. (5 Replies)
Discussion started by: oraclermanpt
5 Replies

2. AIX

user account priviledges

Hi Admins, As per my knowledge there are two types of user accounts in unix. root and normal users. If there are any user types for which we can give some priviledges..? Actually i want to restrict root access and create new accounts for admins with some of the priviledges. Please let me... (6 Replies)
Discussion started by: newsol
6 Replies

3. Solaris

Help me create new user account

I want create user. That user should be login to any server without asking password. How? tell me in detail. :wall: (3 Replies)
Discussion started by: Navkreddy
3 Replies

4. Shell Programming and Scripting

How to suspend a user account?

Hi, guys. I have two questions: I need to write a script, which can show all the non-suspended users on system, and suspend the selected user account. There are two things I am not sure: 1. How can I suspend user's account? What I think is: add a string to the encrypted password in shadow... (2 Replies)
Discussion started by: daikeyang
2 Replies

5. UNIX for Dummies Questions & Answers

Difference between : Locked User Account & Disabled User Accounts in Linux ?

Thanks AVKlinux (3 Replies)
Discussion started by: avklinux
3 Replies

6. HP-UX

how can distingiush user account

example root::0:3::/:/sbin/sh daemon:*:1:5::/:/sbin/sh bin:*:2:2::/usr/bin:/sbin/sh sys:*:3:3::/: adm:*:4:4::/var/adm:/sbin/sh uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico lp:*:9:7::/var/spool/lp:/sbin/sh nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico... (1 Reply)
Discussion started by: alert0919
1 Replies

7. Post Here to Contact Site Administrators and Moderators

user account

hi how to disable the useraccount in aix (should not remove). (1 Reply)
Discussion started by: chomca
1 Replies

8. UNIX for Dummies Questions & Answers

show all user account

I have a question about show all create user account. What commend do that thank`s for your help :) (6 Replies)
Discussion started by: Deux
6 Replies

9. UNIX for Dummies Questions & Answers

creatin user account

hi all, i m tryin to create a new account on the unix work station. do i use 'useradd' command? can u guyz advice on the usage of 'useradd' command as it can comes with 'useradd -D' or 'useradd -e' thanks :confused: (1 Reply)
Discussion started by: damian
1 Replies
Login or Register to Ask a Question