User account | Unix Linux Forums | HP-UX

  Go Back    


HP-UX HP-UX (Hewlett Packard UniX) is Hewlett-Packard's proprietary implementation of the Unix operating system, based on System V.

User account

HP-UX


Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 06-18-2013
cyriac_N cyriac_N is offline
Registered User
 
Join Date: Jan 2011
Last Activity: 12 August 2013, 3:38 AM EDT
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
User account

I need to check actual date a user was disabled on my HP-UX server.

Audit is claiming the user account was active during the last audit exercise.
Sponsored Links
    #2  
Old 06-18-2013
Just Ice's Avatar
Just Ice Just Ice is offline Forum Advisor  
Lights on, brain off.
 
Join Date: Mar 2005
Last Activity: 20 September 2013, 10:59 AM EDT
Location: Philadelphia metro
Posts: 958
Thanks: 3
Thanked 66 Times in 59 Posts
if you do not get better suggestions ...

look at time stamp of affected server's /etc/passwd file first to see last modification date. if after audit date, have somebody restore a copy of the /etc/passwd file from the date of the audit to confirm prsence of specific account.
Sponsored Links
    #3  
Old 06-20-2013
vbe's Avatar
vbe vbe is offline Forum Staff  
Moderator
 
Join Date: Sep 2005
Last Activity: 23 September 2014, 4:47 AM EDT
Location: Switzerland - GE
Posts: 5,744
Thanks: 158
Thanked 400 Times in 375 Posts
We would need to know a bit more on your architecture, (paltform, OS and version, using shadow? ot TCB?) and the context
Quote:
Audit is claiming the user account was active during the last audit exercise.
What was the audit doing?
I saw cases (audit...) with active intrusion attempts, resulting in some users account to be disabled...
So you would have to explain what is the claim... ( and kind of disablement...)
    #4  
Old 06-20-2013
rbatte1 rbatte1 is online now Forum Staff  
Moderator
 
Join Date: Jun 2007
Last Activity: 23 September 2014, 6:18 AM EDT
Location: Lancashire, UK
Posts: 1,818
Thanks: 583
Thanked 309 Times in 278 Posts
Are you in trusted mode? You can tell by looking to see if there are files under /tcb/files/auth If there is, then under this point, there is one character a directory for the first of each user name and within there, there is a file for each user. Look at the timestamp of the file to see the last update of it, however if it has been attacked (someone tried to use it) then this will have been updated.

Within, there are fields describing last successful login, last failed login, last password update etc. The times recorded are in seconds from 1/1/1970 00:00:00 (the Epoch) so someone here helpfully wrote this bit of Perl that reformats it to make it human readable:-
Code:
perl -e 'print scalar localtime $ARGV[0],"\n" ' $1

I have this as a one-line script, so I just run something like:-
Code:
$ realtime 1234567890 
Fri Feb 13 23:31:30 2009


I hope that this helps. If you are not in trusted mode, then it depends if you clean out the login history files (whatever they are) Try using the last command. Read the manual pages for the options. It might be useful, maybe not. Unless you intercept and log every use of the various user admin commands (useradd, modprpw, passwd etc.) it's going to be difficult to really prove anything.


As a more general question though, are the auditors complaining that the id they used last time to probe around has been suspended? If it's more that a month since they last used it, then I think you have every right to suspend it to limit the risk of attack, in fact you could argue that it should be suspended immediately after they have finished using it.

i understand they have an important job to do, but sometimes they are the worst offenders just asking for open access whenever they want it. Enforce your standards, especially with them. It could be a test of your procedures




Robin
Liverpool/Blackburn
UK
The Following User Says Thank You to rbatte1 For This Useful Post:
jim mcnamara (06-20-2013)
Sponsored Links
    #5  
Old 06-20-2013
Just Ice's Avatar
Just Ice Just Ice is offline Forum Advisor  
Lights on, brain off.
 
Join Date: Mar 2005
Last Activity: 20 September 2013, 10:59 AM EDT
Location: Philadelphia metro
Posts: 958
Thanks: 3
Thanked 66 Times in 59 Posts
having my fill of audit requests, the issue is more likely the auditors saw an account of a terminated employee still active when they last did their audit. since auditors ask for copies of the user-related security files (i.e., /etc/passwd, etc/group, etc.) during an audit, they are able to correlate the listed users with currently active employees/consultants so any account that stands out needs to be reviewed.
Sponsored Links
    #6  
Old 06-20-2013
rbatte1 rbatte1 is online now Forum Staff  
Moderator
 
Join Date: Jun 2007
Last Activity: 23 September 2014, 6:18 AM EDT
Location: Lancashire, UK
Posts: 1,818
Thanks: 583
Thanked 309 Times in 278 Posts
Yeah, yeah, yeah. Often just a pain with technicalities. perhaps they should just be happy that an account has been suspended, unless they want to match it to a notice about someone leaving and date it to quantify the risk for the time between leaving and the suspend date.

Any luck with files under /tcb/files/auth giving you dates? I think you can configure accounts to lock if unused automatically. Add that to the last successful login and you may have an answer for them.



Good luck!

Robin
Sponsored Links
    #7  
Old 06-20-2013
Just Ice's Avatar
Just Ice Just Ice is offline Forum Advisor  
Lights on, brain off.
 
Join Date: Mar 2005
Last Activity: 20 September 2013, 10:59 AM EDT
Location: Philadelphia metro
Posts: 958
Thanks: 3
Thanked 66 Times in 59 Posts
unfortunately, compliance requirements obligate us to remove user accounts of terminated employees as soon as notified. we may not like what audit does but we are stuck with them.
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
User Account Sync search4u2003 Red Hat 3 07-13-2011 09:32 AM
Please help identify these user account rdstkg Security 3 06-09-2011 12:29 AM
How to suspend a user account? daikeyang Shell Programming and Scripting 2 03-21-2009 09:13 PM
Difference between : Locked User Account & Disabled User Accounts in Linux ? avklinux UNIX for Dummies Questions & Answers 3 02-06-2009 08:01 PM
user account chomca Post Here to Contact Site Administrators and Moderators 1 05-22-2006 12:41 PM



All times are GMT -4. The time now is 06:18 AM.