Quote:
Originally Posted by
AIX122
output of "lsuser "
...
I mean : the user can change directory from home directory to any directory for example file systems " /opt , / , /usr , ...."
*Now we are talking*. This is information i can help you with.
First off: everything is ok! The user is *supposed* to be able to change the directory to the directories you mentioned. This is *not* an admin privilege but in fact it necessary to make the user account usable at all: if the user would not be allowed to "cd /usr/bin" for instance, the account would not be able to use any of the programs which are stored there. This would be most of the system commands. Hence the user would not be able to use the system in any reasonable way.
Anyway, i take from your words that your concern is security, ao i will give you some security tips based on your output of lsuser:
Quote:
Knbokt id=209 pgrp=nbokt groups=nbokt,apps home=/reports/NBOKT shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat
su=true means that the user is allowed to use the su-command with switches user roles. This is a necessary feature sometimes, but its use is undocumented. You cannot see in any log which user and when has used this command. This is a problem not so much of security but more of "auditing", which is a similar area. You can enhance this by doing the following:
- install "sudo", which always a good idea anyways.
- disallow all users except root to use su by setting "su=" to false (use the "chuser" command for that)
- create a sudo-rule which allows su for a certain group of users via sudo means
- now it is possible to audit the times someone is issuing "su", because it cannot be issued directly any more but only in the form "sudo su - ...."
Quote:
logintimes=!saturday-thursday:0930-1230,!saturday-wednesday:1600-1900 loginretries=3 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=0 minlen=0 histexpire=0 histsize=0
These values deal with the password authentification. "Logintimes" is already set and limits the time a user can log on - good. "pwdwarntime" is a value in days and tells the system to warn the user that many days in advance when the password expires. It is a good idea to set this to a sensible value, say, 14 days. "minage" and "maxage" are (in days) the minimal and maximal age of a password. Set these to some sensible values to make the user change the password regularly.
minlen, "minalpha" and "minother" deal with the password composition: minalpha requires a minimum of that many alphanumeric characters in the password, minother does the same with "other" (punctuation marks, etc.) characters. "minlen" is the minimal length of the password. Right now your users could set a blank password and the system would be happy. "maxrepeats" is the number of times a certain character is allowed to repeat in a password. Set it to avoid having passwords like "xxxxxxxx". "histexpire" is the number of passwords to keep in history. A user is not allowed to reuse a password in the history. Right now even if the user changes his password he might change the password to the same value it already had. If you set it to 9 the user has to use at least 10 different passwords befor he can use the first one again.
Quote:
pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_unsuccessful_login=1203769000 tty_last_unsuccessful_login=/dev/pts/3 host_last_unsuccessful_login=10.130.15.125 unsuccessful_login_count=11 roles=
The rest is default. It seems that this specific user is not allowed to log on any more as "unsuccessful_login_count" is 11 and "loginretries" is 3. After 3 unsuccessful login retries the system will lock the account and only an admin (you) can unlock it by issuing
chuser -a unsuccessful_login_count=0 <username>
but this only as an aside.
Another security consideration is: you probably allow telnet/ftp to the system and the users use that (or rlogin, ...) to connect. All these protocols use clear text to transmit the passwords over the networ lines. Install ssh (you can download it from IBMs website, see the pinned links in the forum) and switch off (comment out) telnet and ftp in the file /etc/inetd.conf.
I hope this helps.
bakunin