OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jon Lindgren (jlindgrenslk.com)
Date: Thu Jan 25 2001 - 09:28:29 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On 25 Jan 2001, Perry E. Metzger wrote:

    > Every day I get reports telling me crud like:
    >
    > Login toor is off but still has a valid shell (/bin/sh)
    > Login backup is off but still has a valid shell (/bin/sh)
    >
    > etc.
    >
    > I want these accounts around -- I just want the password based login
    > capability disabled.
    >
    > Right now, as it stands, /etc/security prints that message out no
    > matter what if field two of the password file is not thirteen or
    > twenty characters long. (What is twenty characters for?)

    I think this is for using alternative encryption (we can use DES and one
    other algorithm, right?).

    > I propose that we distinguish between accounts that are not password
    > loginable and accounts that are off by using different characters for
    > the second field -- something other than * -- and that I then hack the
    > /etc/security script to properly note this distinction and ignore the
    > accounts that are intentionally on but password disabled.
    >
    > Comments?

    Agreed, but we'd also need the capability to see if they've changed. If
    the box gets cracked, and backup becomes a loginable user, I'd definitely
    want to see that (even though at that point, the cracker has probably
    comprimised the system to the point where you can't trust the security
    output). If only from a management point of view, the security and daily
    output scripts are good for checking basic changes on the box (such as the
    passwd file, etc...).

    I'd agree with the idea that in general, a box as configured within
    reason should not produce warnings or anomalous results in the daily
    outputs, especially when it's a stock configuration right out of base.tgz
    and etc.tgz

    Just my $0.02

    -
    Jon
     --------------------------------------------------------------------
     - The opinions expressed are not necesarily those of my employer.
     - USATODAY.com latest Health news for 12/4/2000 at 2:10 p.m.:
        Tobacco firm backs lung cancer test: Spaz the cat will never again
        want for medication to relieve his constipation.