AIX System Security:7.User Accounts and environmen

jiazf82

1.Block system accounts

for user in daemon bin sys adm uucp nuucp printq guest
nobody lpd sshd; do
chuser rlogin=false login=false "$user"
done

2.Set password and account expiration on active accounts

chsec -f /etc/security/user -s default -a maxage=13
chsec -f /etc/security/user -s default -a minlen=6
chsec -f /etc/security/user -s default -a minage=1
chsec -f /etc/security/user -s default -a pwdwarntime=28

3.Verify there are no accounts with empty password fields

pwdck  -n ALL
4.Verify no legacy '+' entries exist in passwd, and group file

grep ^+: /etc/passwd /etc/group

5.Verify no UID 0 accounts exist other than root

lsuser -a id ALL | grep "id=0" | awk '{print $1}'

6.No '.' or group/world-writable directory in root's $PATH

echo $PATH | grep -E '(^|:)(\.|:|$)'

7.User home directories should be mode 750 or more restrictive

NEW_PERMS=750
lsuser -c ALL | grep -v ^#name | cut -f1 -d: | while read NAME; do
if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -ge 200 ]; then
HOME=`lsuser -a home $NAME | cut -f 2 -d =`
echo "Changing $NAME homedir $HOME"
chmod $NEW_PERMS $HOME
fi
done
if [ `grep -c "chmod $NEW_PERMS $1" \
/usr/lib/security/mkuser.sys` -eq 0 ]; then
sed -e "s/mkdir \$1/mkdir \$1 \&\& chmod $NEW_PERMS \$1/g" \
/usr/lib/security/mkuser.sys > /tmp/mkuser.tmp
mv /tmp/mkuser.tmp /usr/lib/security/mkuser.sys
chmod 750 /usr/lib/security/mkuser.sys
fi

8.No user dot-files should be world-writable

lsuser -a home ALL |cut -f2 -d= | while read HOMEDIR; do
echo "Examining $HOMEDIR"
if [ -d $HOMEDIR ]; then
ls -a $HOMEDIR | grep -Ev "^.$|^..$" | \
while read FILE; do
if [ -f $FILE ]; then
echo "Adjusting $FILE"
chmod go-w $FILE
fi
done
else
echo "No home dir for $HOMEDIR"
fi
done

9.Remove user .netrc and .rhosts files


10.Set Default umask for users

lsuser -a home ALL | awk '{print $1}' | while read user; do
chuser umask=077 $user
done

11.Set default umask for the FTP daemon

chsubserver -c -v ftp -p tcp "ftpd -l -u077"
refresh -s inetd

12.Set “mesg n” as the default for all users

echo "mesg n" >> /etc/profile
echo "mesg n" >> /etc/csh.login

13.Removing unnecessary default user accounts

# Remove users
LIST="uucp nuucp lpd guest printq"
for USERS in $LIST; do
rmuser -p $USERS
rmgroup $USERS
done
# Remove groups
LIST="uucp printq"
for USERS in $LIST; do
rmgroup $USERS
done


本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/4031/showart_196607.html