sun.com   |  docs.sun.com
How To Buy  |  My Sun  |  Worldwide Sites
         
 
Sun Microsystems Logo
 Products and Services
 		 Support and Training
 
 
System Administration Guide: Security Services 

Previous Previous     Contents     Index     Next Next
Chapter 3

Securing Machines (Tasks)

This chapter describes the procedures for securing machines in the Solaris environment. The procedures are introduced in the following section:

For overview information about machine security, see Chapter 2, Managing Machine Security (Overview).

Securing Machines (Task Map)

A computer is as secure as its weakest point of entry. The following task map shows the areas that you should monitor and secure.

Task

Description

For Instructions

Display a user's login status

Use the logins command to view a user's login status information.

How to Display a User's Login Status

Find users who do not have passwords

Use the logins command to find only those users whose accounts do not require a password.

How to Display Users Without Passwords

Disable logins temporarily

Deny user logins to a machine as part of system shutdown or routine maintenance.

How to Temporarily Disable User Logins

Provide strong password encryption

Specify algorithms for password encryption.

How to Specify an Algorithm for Password Encryption

Provide strong password encryption with a name service

Specify algorithms for password encryption when you are using a name service.

How to Specify a New Password Algorithm for an NIS+ Domain

How to Specify a New Password Algorithm for an NIS Domain

How to Specify a New Password Algorithm for an LDAP Domain

Add new password encryption module

Add third-party algorithms.

How to Install a Password Encryption Module From a Third Party

Save failed login attempts

Create a log of users who failed to provide the correct password after five attempts.

How to Save Failed Login Attempts

Create a dial-up password

Require an additional password for users who log in remotely through a modem or dial-up port.

How to Create a Dial-up Password

Disable dial-up entry temporarily

Prevent users from dialing in remotely through a modem or port.

How to Temporarily Disable Dial-up Logins

Monitor who is using the su command

Read the sulog file on a regular basis.

How to Monitor Who Is Using the su Command

Display superuser activity on the console

Monitor superuser access attempts.

How to Display Superuser (root) Access Attempts to the Console

Prevent remote access to the console as superuser

Require remote users to log in with their username and then become root.

How to Prevent Remote Login by Superuser (root)

Prevent users from changing machine parameters

Prevent users from changing PROM settings.

How to Require a Password for Hardware Access

Disable the abort sequence

Prevent users from accessing the PROM.

How to Disable or Enable a System's Abort Sequence

Securing Logins and Passwords

This section describes how to control and monitor logins.

ProcedureHow to Display a User's Login Status

  1. Become superuser or assume an equivalent role.

  2. Display a user's login status by using the logins command. 

    # logins -x -l username

    -x

    Displays an extended set of login status information.

    -l username

    Displays the login status for the specified user. username is a user's login name. Multiple login names must be specified in a comma-separated list.

    The logins command uses the appropriate password file to obtain a user's login status. The file can be the local /etc/passwd file , or a password database for the name service. For more information, see the logins(1M) man page.

Example--Displaying a User's Login Status

In the following example, the login status for the user rimmer is displayed. 

# logins -x -l rimmer
rimmer       500     staff           10   Annalee J. Rimmer
                     /export/home/rimmer
                     /bin/sh
                     PS 010170 10 7 -1

rimmer

Identifies the user's login name.

500

Identifies the user ID (UID).

staff

Identifies the user's primary group.

10

Identifies the group ID (GID).

Annalee J. Rimmer

Identifies the comment.

/export/home/rimmer

Identifies the user's home directory.

/bin/sh

Identifies the login shell.

PS 010170 10 7 -1

Specifies the password aging information:

  • Last date that the password was changed

  • Number of days that are required between changes

  • Number of days before a change is required

  • Warning period

ProcedureHow to Display Users Without Passwords

  1. Become superuser or assume an equivalent role.

  2. Display all users who have no passwords by using the logins command. 

    # logins -p

    The -p option displays a list of users with no passwords. The logins command can use the password databases on the local machine and on the network. The command can use the local /etc/passwd file. The command can use the password databases for the name services to obtain a user's login status.

Example--Displaying Users Without Passwords

The following example shows that the user pmorph does not have a password.

# logins -p
pmorph          501     other           1       Polly Morph
#

ProcedureHow to Temporarily Disable User Logins

  1. Become superuser or assume an equivalent role.

  2. Create the /etc/nologin file by using an editor.

    # vi /etc/nologin

  3. Include a message about system availability.

  4. Close and save the file.

    Create this file to disallow user logins during system shutdown or routine maintenance. If a user attempts to log in to a system where the nologin file exists, the contents of this file are displayed. Then, the user login is terminated.

    Superuser logins are not affected. For more information, see the nologin(4) man page.

Example--Disabling User Logins

This example shows how to notify users of system unavailability.

# vi /etc/nologin
(Add system message here)
 
# cat /etc/nologin 
***No logins permitted.***

***The system will be unavailable until 12 noon.***

You can also bring the system to run level 0, single-user mode. For information on bringing the system to single-user mode, see "Shutting Down a System (Tasks)" in System Administration Guide: Basic Administration.

ProcedureHow to Save Failed Login Attempts

  1. Become superuser or assume an equivalent role.

  2. Create the loginlog file in the /var/adm directory.

    # touch /var/adm/loginlog

  3. Set read and write permissions for root on the loginlog file.

    # chmod 600 /var/adm/loginlog

  4. Change group membership to sys on the loginlog file.

    # chgrp sys /var/adm/loginlog

  5. Make sure that the log works by attempting to log into the system five times with the wrong password. Then, display the /var/adm/loginlog file.

    # more /var/adm/loginlog
rimmer:/dev/pts/1:Wed Jan 16 09:22:31 2002
rimmer:/dev/pts/1:Wed Jan 16 09:22:39 2002
rimmer:/dev/pts/1:Wed Jan 16 09:22:45 2002
rimmer:/dev/pts/1:Wed Jan 16 09:22:53 2002
rimmer:/dev/pts/1:Wed Jan 16 09:23:01 2002
#

    The loginlog file contains one entry for each failed attempt. Each entry contains the user's login name, tty device, and time of the failed attempt. If a person makes fewer than five unsuccessful attempts, no failed attempts are logged.

    The loginlog file might grow quickly. To use this file in a timely manner, you should check and clear its contents occasionally. A loginlog file that shows a lot of activity can indicate an attempt to break into the computer system. For more information, see the loginlog(4) man page.

Previous Previous     Contents     Index     Next Next
 
Copyright 1994-2003 Sun Microsystems