Security
To display user's login status
# logins -x -l rimmer
rimmer 500 staff 10 Annalee J. Rimmer
/export/home/rimmer
/bin/sh
PS 010103 10 7 -1
PS 010103 10 7 -1
Specifies the password aging information:
* Last date that the password was changed
* Number of days that are required between changes
* Number of days before a change is required
* Warning period
To display users without passwords
# logins -p
To find out the password age status
passwd -r files -sa
To force the user "user1" to change his password during next login
# passwd -f user1
To disable the passwd aging
Change below parameters as below in /etc/default/passwd
MAXWEEKS=
MINWEEKS=
To Temporarily Disable user Logins
a. Create /etc/nologin file in a test editor. Include a message about system availability b. Close and save the file
To monitor failed login attempts
Note:The loginlog file contains one entry for each failed attempt. Each entry contains the user's login name, tty device, and time of the failed attempt. If a person makes fewer than five unsuccessful attempts, no failed attempts are logged. This procedure does not capture failed logins from a CDE or GNOME login attempt
1. Create the loginlog file in the /var/adm directory
# touch /var/adm/loginlog
2. Chage the permission of the file to be read/write only by root
# chmod 600 /var/adm/loginlog
3. Change the group membership to sys
# chgrp sys /var/adm/loginlog
4. Verify that the log works. Login with wrong passwd 5 times and check /var/adm/loginlog file
# more /var/adm/loginlog
jdoe:/dev/pts/2:Tue Nov 4 10:21:10 2003
jdoe:/dev/pts/2:Tue Nov 4 10:21:21 2003
jdoe:/dev/pts/2:Tue Nov 4 10:21:30 2003
jdoe:/dev/pts/2:Tue Nov 4 10:21:41 2003
jdoe:/dev/pts/2:Tue Nov 4 10:21:51 2003
To Monitor all the failed login attemtps
01. Check /etc/default/login file and make sure the following lines are there
SYSLOG=YES
SYSLOG_FAILED_LOGINS=0
02. Create /var/adm/autolog file and setup appropriate permissions
# touch /var/adm/authlog
# chmod 600 /var/adm/authlog
# chgrp sys /var/adm/autolog
03. Edit the /etc/syslog.conf file to log failed password attempts.
auth.info /var/adm/authlog
auth.notice /var/adm/authlog
04. Restart the syslog daemon
05. Verify the log works
more /var/adm/authlog
To close the connection after three login failures
Uncomment the RETRIES entry in the /etc/default/login file, then set the value of RETRIES to 3. Your edits take effect immediately. After three login retries in one session, the system closes the connection.
Password Aging, Length
New Accounts
/etc/default/passwd is the file related to password aging on new accounts.
- MAXWEEKS= is the maximum number of weeks a password may be used.
- MINWEEKS= is the minimum number of weeks allowed between password changes.
- WARNWEEKS= (not present by default) is the number of weeks' warning given before a password expires.
- PASSLENGTH= is the Minimum password length
Existing Accounts
/usr/bin/passwd is used to modify password aging on existing accounts. passwd does not update the last password change field (field 3) in /etc/shadow, so passwords could expire immediately after running it.
Example
User user1 was already created with no password aging (MAXWEEKS= in /etc/default/passwd). To configure the following:
- A minimum of 7 days between password changes.
- Password expiration after 90 days.
- Begin warning about password expiration 14 days in advance.
# /usr/bin/passwd -n 7 -w 14 -x 90 user1
http://brandonhutchinson.com/wiki/index.php5?title=Solaris_Password_Policy
http://www.securitydocs.com/Operating_System/Solaris