How to Reset Passwords for Tenable.sc

Accidentally locked yourself out of your Tenable.sc (formerly Security Center) admin account? Don't worry! This post walks you through the steps to reset your password on version 5.11 and newer. If you're running an older version, you can find instructions in my previous blog post. We'll cover how to reset the password, unlock your account, and clear any pesky login failures.

Important Security Note: Directly modifying the database should be done with caution. Ensure you have a backup of your Security Center configuration before proceeding.

Reset the admin account password

root@earth# /opt/sc/support/bin/sqlite3 /opt/sc/application.db "update userauth set password = '943807ff8e7f4735e2a4774f0cf9ceec1044889088737759ef1f329beb40de00107446dffa66fdcc3d557c1b5109800b8f5083cd4e6cd018c5739135f9ceeb12', salt = 'e+xmTMivzO0Jmyl3XLcDIKcnXOWaKYzWCRRJu2ebr41K8sHJjtYy7JGJwR3IfohbFLUHWzVlivXtt8Dn/ok2tg==', hashtype = 2 where username='admin';"

This command resets the 'admin' user's password to 'password'. It's essential to log in and update this password right away. You can also use this command to reset the password of any other Tenable.sc user by replacing 'admin' with their username. This command does not unlock the account.

Clear Login Failures

root@earth# sqlite3 /opt/sc/application.db "update userauth set failedLogins='0' where username='admin';"

This command resets the count of failed login attempts for the 'admin' user or anther specified user.

Unlock the admin Account

root@earth# sqlite3 /opt/sc/application.db "update userauth set locked='0' where username='admin';"

Use this command to restore access to a locked 'admin' account. Note that this action only unlocks the account; the password remains the same.

 
After running these commands, you should now be able to log in to your Tenable.sc administrator account. Keep in mind that the password has been reset to a specific, secure value behind the scenes. For security, your very first step after logging in should be to change this password through the Tenable.sc interface. If you run into any problems or have more questions, please leave a comment below.

Taming Runaway tmux Sessions and Keeping Your Scans Smooth

This post tackles a common issue encountered during vulnerability scans with Tenable.sc (formerly Security Center). It addresses the problem of lingering tmux sessions that can hinder login attempts and system responsiveness.

The Problem

Recently, a critical plugin (21745) triggered on a Red Hat Enterprise Linux 8 (RHEL 8) system during a Tenable.sc scan. The scan user account wasn't locked out, but SSH login attempts hung indefinitely despite system logs showing a successful login. A reboot temporarily resolved the issue, but it kept reoccurring.

The Culprit: Unclosed tmux Sessions

Tenable.sc leverages tmux, a terminal multiplexer, to manage multiple connections during a scan. When a connection is established, tmux typically creates a session. The problem arose when these tmux sessions weren't being automatically closed after the scan completed. This led to a situation where the scan user ended up with thousands of orphaned sessions, causing login issues.

Fixing the Runaway Sessions

1. Automatic Cleanup

• Edit the system-wide tmux configuration file ( /etc/tmux.conf ).
• Add the line set -g destroy-unattached on to the configuration file. This instructs tmux to automatically terminate any sessions that are not actively in use.
• To implement this change:

scanuser@remotesystem> sudo echo "set -g destroy-unattached on" >> /etc/tmux.conf

2. User-Specific Control (Optional)

• This approach allows tmux usage only for the designated scan user ( scanuser ). 
• Create a custom shell script ( /etc/profile.d/custom.sh ) with the following content:

[ "$USER" != "scanuser" ]
 then if [ "$PS1" ]
   then parent=$(ps -o ppid= -p $$)
        name=$(ps -o comm= -p $parent) 
        case "$name" in (sshd|login) exec tmux
        esac 
 fi 
fi 

This script checks the current user and only allows tmux execution if the user is "scanuser" and the parent process is either "sshd" (SSH daemon) or "login" (login shell).

Understanding the Tools

tmux: An open-source terminal multiplexer that allows managing multiple terminal sessions within a single window. You can split your terminal into different panes, detach from sessions, and reattach later, similar to the "screen" application.

Tenable Plugin 21745: This is an informational plugin that gathers and displays information from other plugins, triggered in this instance due to potential login failures.

Additional Resources

• Tmux Cheat Sheet & Quick Reference: https://tmuxcheatsheet.com/
• A beginner's guide to tmux: https://www.redhat.com/en/blog/introduction-tmux-linux

By implementing these solutions, you can ensure that your Tenable.sc scans run smoothly without encountering issues caused by lingering tmux sessions.

Login hangs for scanning account

The Problem

I ran into this issue the other day. Tenable.sc (formerly Security Center) was reporting a hit on plugin 21745 for a Red Hat Enterprise Linux 8 (RHEL 8) system. I checked on the account used on the systems for scanning and it wasn't locked out or anything. When I tried to SSH into the system with the credentials, it would just hang. The system logs showed "login successful". When I rebooted the system was able to login normally again, but the problem would come back eventually.

The Cause

When the Nessus scanner connects to a system, it's scanning, it makes several connections to the host. Each connection starts a TMUX session. The problem is the TMUX sessions where not being closed after the Nessus scanner disconnected from the system. It turned out that the account used for security scanning had around 2,000 TMUX sessions running.

The Fix

Add "set -g destroy-unattached on" to the /etc/tmux.conf file.

scanuser@remotesystem> sudo echo "set -g destroy-unattached on" >> /etc/tmux.conf

This will append this line "set -g destroy-unattached on" into the /etc/tmux.conf configuration file. This will auto close sessions not being actively used.

Anther Fix

Set system wide rules for TMUX on the effected systems so only the account used by the Nessus scanner will have use of the TMUX terminal multiplexer. /etc/profile.d/custom.sh

[ "$USER" != "scanuser" ]
 then if [ "$PS1" ]
   then parent=$(ps -o ppid= -p $$)
        name=$(ps -o comm= -p $parent) 
        case "$name" in (sshd|login) exec tmux
        esac 
 fi 
fi 

Defs

TMUX is an open-source terminal multiplexer for Unix type systems. Multiple terminal sessions can be accessed simultaneously by splitting the terminal into different screens. Can also detach remote sessions and reattach later, similar to what the screen application can do.

 
Tenable Plugin a plugin is a script deployed by the Nessus scanner to check for security vulnerabilities. In this case plugin 21745 is an info plugin, it displays info from other plugins. This plugin is triggered (displayed) whenever a login failure occurs.

Other useful links

Tmux Cheat Sheet & Quick Reference
https://tmuxcheatsheet.com/
A beginner's guide to tmux
https://www.redhat.com/sysadmin/introduction-tmux-linux

Create user account and set password with one command

I often see forum posts where a System Administrators, wants to create local user accounts on several servers and doesn't want to have to have to set the user's password over and over again. Below I share two ways to do this. The first way creates the user account and sets the password in one command. The second method sets the password in a additional command. Ether way can be used in a script, which can speed things up if you need to create one or more accout on servel systems.

Below is an example of creating a user account.

root@earth> useradd -u 25 -g staff -G ftp,users -m -d /export/home/newuser -c "newuser" -s /bin/bash newuser
root@earth> passwd newuser
passwd: Changing password for username
New Password:
Re-enter new Password:
passwd: password successfully changed for newuser

This method can be very time consuming process and would be hard to use in script. Below is an example of how using the -p option in the useradd command, to set the user's password by setting the uses hash.

root@earth> useradd -u 25 -g staff -G ftp,users -m -d /export/home/newuser -c "newuser" -s /bin/bash -p '6$jbvkjjg$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/' newuser

This method works on Linux computers, such as SLES and RHEL. It however doesn't work on systems such as Solaris.

Alternately you can also set the users by echoing the password to standard in, as shown below. The major issue with doing it this way is that the password is recorded in the system logs and if your running the command remotely then your sending the password in the clear. So I don't recomend doing it this way.

root@earth> echo password | passwd newuser --stdin

This method works only Linux systems.

Other posts with similar info
Linux User Account Creation & Customization
Adding a new user to a UNIX based system

References pages.
Online man page - useradd
Online man page - passwd

Reset Admin account on Security Center

The other day I got locked out of my admin account for the Security Center 5 from Tenable. In order to get back into the system I needed to reset the admin password. Below I show how to reset the admin password on Security Center 5. For this to work you must have elevated privileges, such as root.

Note- There is a newer version of these instructions. These instructions are for Security Center 5.10 and below, for Tenable.sc 5.11 and higher please visit this page: How to Reset Passwords for Tenable.sc

Reset the admin account password

root@earth> sqlite3 /opt/sc/application.db "update userauth set password = 'bbd29bd33eb161d738536b59e37db31e' where username='admin';"

This command sets the admin password to password

Clear login failures.

root@earth> sqlite3 /opt/sc/application.db "update userauth set failedLogins='0' where username='admin';"

Unlock the admin account

root@earth> sqlite3 /opt/sc/application.db "update userauth set locked='0' where username='admin';"

After following these steps you will be able to login to the admin account with the password set to password. If you have any questions or comments please post them below.

Linux User Account Creation & Customization

A Systems Administrator must be able to manage user accounts by adding users, removing users, modifying accounts and setting passwords. In this tutorial, I will be giving you instructions on how to properly create user accounts on Linux operating systems. Creating a user account can be simple, but there are a few complexities to note. As opposed to a graphical user interface (GUI), these instructions use the command line to create the user accounts.

The command line provides an ideal method for account management, because it provides faster account creation, especially when you are creating several accounts on one more computers. The graphical user interface or GUI on Linux Systems can vary greatly from system to system, but the one constancy on all Linux operating systems is the command line. The command line (CLI) is a text based user interface used for entering commands for the operating system to decipher. So I will be showing the use of the useradd command which creates the user accounts, and the passswd command which sets or changes the user accounts password.

Typographical conventions.
The typographic convection section is meant to help readers better understand what it is their seeing. Please carefully read the instructions before continuing.

The courier font is used for names of commands, files, directories, user names, and on-screen computer output; for example:
Use the useradd command to add users to the computer.

The courier bold font is used for characters and numbers you type; for example:

whoami

Courier bold italic is used to represent variables that can change; for example:

passwd bob

Instructions
After each line you type into the command line press the enter key. As explained in the above typographical conventions section, anything displayed in courier bold is typed in the command line and if it is displayed in courier it is the output of the line above. To follow this tutorial open the terminal or xterm program to access the command line. Please refer to the Command & Term Reference guide, for information on commands and terms.

Note - If you don't have access to a Linux computer you can still follow along, using the Linux emulator at, "http://www.tutorialspoint.com/execute_bash_online.php" . Type the commands into the green box on the right.

Method One: Create a user, using default settings.
If you are creating a user account on just one computer, the steps below will work, but if you are creating a user account on more than one computer, use method two or three instead. If the Linux computer is not connected to any other Linux computers on the network then the method shown below will work. This the best method to of users who are novices at using the command line.

Follow the steps below to create a user account for Bob.
1) Create user account for bob

useradd bob

2) Create a password for user account bob.

passwd bob
passwd: Changing password for bob
New Password:
Re-enter new Password:
passwd: password successfully changed for bob

The passwd command sets user account passwords. In the example above it sets the password for user account bob.

Note - If you don't set the password, the user will not have a password and will not be able to log in.

3) Test user account by logging into the computer with the new user account.

su – bob

The su command stands for switch user, and it is used to switch from one user account to another. The – is an option used with the su command, it allows you to fully switch to the new user account. In order to fully test the newly created user account you must use the su command with the – option, as shown.

4) Verify you are logged in as new user.

whoami
bob

The whoami command displays the name of user currently logged in on the command line. The result of the command should be bob as shown above.

Fun Fact: The whoami command also works on Windows computers.

Creating a user account using this method was pretty easy right? This method is perfect for home users who want to add user accounts to their home PC, for their family and friends. This method is not the way to add users on a corporate network.

Method Two: Creating a user with custom setting.
This method is all about control, and is used when creating user accounts on corporate networks. One positive thing about this method is that you know exactly what is being set. The downside to the method is the high probability of making a typo. This method can be too complicated for less knowledgeable users.

1) Create the user account.
Type the entire line out before you press enter.

useradd -u 900 -g users -G video  -c “user account, Jill” -m -d /export/home/jill -s /bin/bash jill

Command Options Explained
-u        Sets user’s UID (Unique Identification Number) to 900
-g        Sets user’s primary group to users
-G        Sets user’s secondary groups to video
-c        Sets a comment for the user. Puts a comment into the /etc/passwd file.
-m        Makes the user’s home directory
-d        Sets the path to the user’s home directory
-s        Sets the user’s shell

One reason to use useradd with all the options listed above is because computers see user accounts as numbers. When we created Jill’s user account we see the account’s name as being jill, but the computer sees the account’s name as 900 or UID (Unique Identification Number) 900. Unless you set the UID by using the –u option the computer will assign the next available UID number which could result in a user having different UID numbers on different computers. This can cause issues with permissions, for example if user Bob has UID 900 on PC number one and Jill has the same UID on PC number two. Jill creates a document and stores it on the network. PC one will see that file is owned by UID 900 and so it will show Bob as the owner. Then Bob can do anything he wants to Jill’s document, including deleting it.

Note: For more information on the useradd command and it options, type man useradd into the command line. To exit the man page

2) Set Jill’s password. 

echo jillspassword | passwd -e jill –stdin

In the above series of commands, the echo command sends the word jillsmypassword to the passwd command, then the passwd command sets the user’s password to jillsmypassword. The –e shown in the above example, expires the user’s password, making the user have to change their password when they attempt to login.

Why set the password in this way, the way shown in Method one was easier? This method is a more advanced way to set a user’s password. For example, let’s say you need create ten user accounts. If you do what we did in Method one, you will need to type the new user’s password in twenty times, two times for each user. On the other hand if you use the method show here, then you only need to change the username ten times. To save on typing, the rest of the command shown above can be pasted into the command line. This method can also be used in a script, since it doesn’t require any additional input from you after you run the command.

3) Repeat steps 3 &4 from Method one to test the account.

Method Three: Configuring system settings for easier user creation.
In Method three, I will be combining the ease of use of the first method and the completeness of the second. In Method one we ran the useradd command with no options set. The Linux system still used many of the options used in Method two, but set them using system defined defaults. To see these defaults for the useradd command with the –D option; for example:

useradd -D
GROUP=2001
HOME=/home
INACTIVE=35
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

To change the default system setting run useradd –D followed by the setting you want to change. In the example below, the default shell is being changed to /bin/ksh from /bin/bash.

useradd –D –s /bin/ksh

To see if the changes took effect, run the useradd –D command again.

Note: The most common things to set is the home directory, and the shell.

1) Create user account for Sam

useradd -u 1010 -G 10 -c “user account, Sam” -m sam

Here we have the best of both words, the less typing of Method 1 and the precise settings from Method two. Setting the system defaults will allow much less of a chance of making mistakes. Now only the setting that are unique to the user will have to be set.

2) Set Sam’s password, choose the approach used in Method one or Method two.

3) Repeat steps 3 & 4 from Method one to test the account.

I showed you three variations, on using the passwd command to create user accounts. For new users on Linux, I suggest they use Method one. Intermediate to advance users should use Method two or three, though Method three is the preferred method. I hope this tutorial was informative and you learned something new.

Command & Term Reference Guide

Commands
useradd – command used to create user accounts.
passwd – command used to set user account passwords.
whoami – informs user who they are logged in as. Can also use the command id to do the same thing.
su – stands for switch user, and is used to switch between users.
man – stands for manual, used to view system manuals. The manuals are referred to as man pages.
echo – displays whatever you type on the next line.
|  - This is called a pipe, it takes the output of the command on the left and sends (pipes) it to the input of the command on the right.

Terms
Terminal and xterm: are programs that display the command line. The terms xterm, terminal and command line can, for the most part, be interchangeable.
Shell: is a customized command line environment. Examples of shells are BASH, SH, KSH and CSH.

Conclusion
Well what did you think? This post is written at a lower level than most of my other posts, because this was originally a paper I wrote for a college class. Method 3 needs a little more info, so I will write a follow on post with a little more detail on how to set the system defaults. Anyway let me know what you think and if you have any questions by posting below.

Related posts on this Blog
Adding a new user to a UNIX based system

References
Man pages: useradd, passwd
My Collage paper
The Ultimate Guide to Create Users in Linux / Unix

Unlock locked accounts

These are my notes no unlocking user accounts, below I go over a few ways to get a user account back up and running. Such as changing the expiration date on an expired account and resetting the PAM Tally for a user.

In keeping with the space theme, I will be using earth as the server's hostname and man as the name of the user account.

This the most common way to unlock your account.

root@earth> passwd -u man

Change the expiration date of the user account

root@earth> usermod --expire 9999 man

This works on some systems

root@earth> ipa user-unlock man

This resets the account if all else fails.

root@earth> pam_tally --user=man --reset

References.
www.cyberciti.biz
From RHEL user-unlock command
SuperUser pam command

My BASH profile

These are notes on how I like to have my command prompt set up. I'm a BASH user so I will be updating the .profile and the .bashrc files. Both files are located in the users home directory.


This what my prompt looks like. It is a two line prompt, I find that it helps break up the commands from the output. The second line also gives more room for long commands and helps prevent the line from wrapping over top of the prompt.

earth:~

man@earth
< 

The basic bash prompt don't look all the great, as seen below. To get it look like the example above run the command below.

bash

bash$

export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u\[\e[0m\]@\e[0;32m\h\e[0;34m\]\n<\[\e[0m\] "

Below I have posted my .profile file.

earth:~

man@earth
< more .profile

PATH=/usr/xpg4/bin:/usr/bin:/bin:/usr/sbin:/usr/local/sbin:/usr/openwin/bin:/usr/local/bin:/usr/ucb:/etc:/usr/X11/bin:/sbin:/usr/openv/netbackup:/usr/openv/netbackup/bin:/usr/openv/netbackup/bin/admincmd:/usr/openv/netbackup/bin/goodies:/usr/openv/volmgr/bin:/usr/sfw/bin/:$HOME

MANPATH=/usr/share/man:/usr/dt/man:/usr/openwin/share/man:/usr/X11/man:/usr/man:/usr/sfw/man:/usr/local/man:

EDITOR=/usr/bin/vi
TMOUT=0
TIMEOUT=0

#alias xterm="xterm -sl 1000 &"
#export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u@\e[0;32m\h\e[0;34m\]>\[\e[0m\] "
export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u\[\e[0m\]@\e[0;32m\h\e[0;34m\]\n<\[\e[0m\] "

The PATH statement is used to store the paths of the commands you want to use. This way you don't need to provide the full path for each command you want to run. The MANPATH statement is basically the same thing, but used to help you access the man pages.

Firefox won't run

This is quick fix for getting Firefox to run, when it says it is already running. How this only seems to happen if you have your home directory mounted across all your computers. The picture below is the error you normally get when your have this problem.

One way to fix this is to delete the lock file.

root@earth> rm ~/.mozzilla/firefox/*.default/lock

You can also use profiles to get past this error. I would suggest you create a different profile for each computer you use Firefox on. Run the command below to get the Pop-up GUI for selecting the profile, as show below. From here you can create a profile to use, if you need one.

root@earth> firefox -p

If you already have profile, then run the command firefox -p with the profiles name at the end.

root@earth> firefox -p profilename

Please feel free to add an comments below If I have missed something.

My BASH Promt

Below are my notes on how I like my BASH prompt setup. This prompt has two lines which I find helps to break up the commands from the output. The second line also gives more room for long commands and helps prevent the line from wrapping over top of the prompt. I also update the title bar on the terminal or xterm with the hostname and current working directory. I find this helpful because this way I will always know who I am on the system, what server I'm logged into and what directory I'm in without typing any commands.

earth:~

man@earth
< 

Cut and paste the line below into your terminal or add in to your .profile file. If you like my prompt.
export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u\[\e[0m\]@\e[0;32m\h\e[0;34m\]\n<\[\e[0m\] "

If you have any suggestions or questions post them below.

How to setup SSH Keys

Note - I have a newer version of this how-to. Please click here 

This is a guide on setting up SSH Keys for a UNIX based account. What are SSH keys you ask? They are means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. SSH Keys are considered more secure than using passwords to access systems, because user accounts are authenticated by the server without ever having to send your password over the network. If the passwords are not transmitted then they can't be intercepted.
This guide is not for installing or setting up a SSH server. You must have SSH running on your servers in order to get your SSH keys to work. All the examples are take from a Solaris 10 (SPARC) server. This guide should as work on any UNIX based operating system like Linux, BSD and the Mac.

Create you key pair
The ssh-keygen command will generate a public and private keypair. The keys will be stored at ~/.ssh.The basic command looks like this: ssh-keygen -t [dsa|rsa]  The -t sets the type of keys used. In the example below I create a rsa key pair.

man@earth> ssh-keygen -t rsa
Enter file in which to save the key (/home/man/.ssh/id_rsa): Press [Enter] key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/man/.ssh/id_rsa.
Your public key has been saved in /home/man/.ssh/id_rsa.pub.
The key fingerprint is:dfhjodfnk
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01

Make sure you don't use a blank passphrase. Doing this is very insecure. Having a blank passphrase defeats the purpose of having having the extra security of a key exchange setup. It is also import to never give out your private key, which also compromises security of your account.

Copy public key
Copy you public key to the authorized_keys file on the remote server.

man@earth> scp ~/.ssh/id_rsa.pub moon:~/.ssh/authorized_keys

If your home directory automounts across a lot of servers. You can copy it over with the cat command.

man@earth> cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

Setup Agent
At this point, when you login you get prompted for a passphase. To stop this from happening you need to setup a SSH agent. Run the command below and type in your passphare when prompted.

man@earth> eval `ssh-agent`
man@earth> ssh-add
Enter passphrase for /home/man/.ssh/id_rsa:
Identity added: /home/vivek/.ssh/id_dsa (/home/man/.ssh/id_rsa)

There are other ways to set up the agent such as using the gnome GUI for example. Unfortunately that only works if your running a gnome desktop. If your a VNC user, you should start your VNC server session after starting your agent in the same terminal. This way all your terminals launched in your VNC session, will use the same agent.

One issue with agents is that sometimes you end up running a lot of agents. Run the command below and kill any agents that you are not using, as a good practice.

man@earth> ps -ef | grep agent

References
g-loaded.eu
Symantec: SSH and ssh-agent

If you have any questions or comments please post below.

Adding, Deleting or Changing a Group in UNIX

This is a little how to on creating, deleting or modifying a group on a UNIX based computer.

root@earth> /usr/sbin/groupadd -g # groupname
If you us -g the option, you will be able to set the GID for the group. If the GID is not set then the OS will choose one.

To delete a group.
root@earth> /usr/sbin/groupdel groupname

To change a group
root@earth> /usr/sbin/groupdel -g # -n newgroupname groupname
Use the -g option to change the group gid and use -n to change the name of the group.

Use these commands only for local accounts. If a network nameservice or directory server is running then use that service instead.

Script for checking accounts

In a perfect world all user accounts are centrally managed by a directory server such as NIS, LDAP or Active Directory. Unfortunately not all servers use accounts that are centrally managed or there are some servers that are set aside, as stand alone servers. It a can be a real pain to find out your account's password expired. Then be forced to change it before you can login. So I wrote this is a little script because I need to know when my passwords are about to expire. This way I can change my passwords on all the servers, before they expire.

I have three different operating systems at work so of course they all do this differently. In this how to I will be using examples from Solaris 10, RHEL 5 (Red Hat Enterprise Linux) and SLES 11 (SUSE Linux Enterprise Server). I created a different file, containing the server names, for each OS.

The script below logs into each server listed in the server-sol file and runs the passwd -s command and prints the output on the screen. It then runs the change -l command on the Linux servers. SUSE needs elevated privileges to run the change -l, so I add sudo to the line. The line where you see the echo statement, prints the server's name indented and in bold.

man@earth>cat check-login2
for s in `cat server-sol`
do echo -e "\e[1m $s \033[0m "
ssh -q $s sudo passwd -s man
done
for r in `cat server-rhel`
do echo -e "\e[1m $r \033[0m "
ssh -q $r chage -l man
done
for sles in `cat server-suse`
do echo -e "\e[1m $sles \033[0m "
ssh -q $sles sudo chage -l man
done
Examples of out from script on the different OS versions.
man@earth>./check-login2
   solaris-server
rich PS 04/03/13 7 56 7
   rhel-server
Last password change : Apr 03, 2013
Password expires : May 29, 2013
Password inactive : never
Account expires : never
Minimum number of days between password change : 7
Maximum number of days between password change : 56
Number of days of warning before password expires : 7
   sles-server
Minimum: 1
Maximum: 60
Warning: 7
Inactive: 35
Last Change: Apr 03, 2013
Password Expires: Jun 02, 2013
Password Inactive: Jul 07, 2013
Account Expires: Never
As you can see there is a difference in the output each OS gives you. If you have any comments or questions please post them below.

Restrict the ability to switch to the root user

Having the ability to be come root is great, but if the wrong person gets the root password then bad things can happen. So lets make it a little harder on them. In the steps below I'm going to make the the su command unusable to a normal user. First we will remove the permissions for other. Then changing the group ownership to sysadmin so only users in the sysadmin group (gid 14) can su and become root.

Change permissions and group ownership on the su command
# cd /usr/bin
# ls -la su
-r-sr-xr-x 1 root sys 21192 Dec 28 12:30 su
# /usr/bin/chgrp syadmin su
# /usr/bin/chmod 04750 su
# ls -la su
-rwsr-x--- 1 root sysadmin 21192 Dec 28 12:30 su
Now lets change the su.static file. # cd /sbin
# ls -la su.static
-r-sr-xr-x 1 root sys 21192 Dec 28 12:30 su
# /usr/bin/chgrp syadmin su.static
# /usr/bin/chmod 04750 su.static
# ls -la su.static
-rwsr-x--- 1 root sysadmin 21192 Dec 28 12:30 su.static

Overview of the ldapclient command

I have seen a lot of forum posts on the web asking for help on with this command. So I writing this post so I can help people understand the basic process of getting a Solaris server to authenticate to a LDAP server, using the ldapclient command. This post is not a "how to" for ldapclient command.


Synopsis
/var/sbin/ldapclient [-v | -q] [init | manual | mod | list | uninit | genprofile]

ldapclient sub-commands
The init sub-command for the ldapclient utility is used to initialize the client server, using a profile stored on an LDAP server.
The manual sub-command for the ldapclient utility is used to manually setup the LDAP client.
The mod  sub-command for the ldapclient utility is used to modify the configuration of the LDAP client that was setup manually.
The list  sub-command for the ldapclient utility shows the current LDAP client configuration.
The uninit sub-command for the ldapclient utility basically blows away your setup so you can start again.
The genprofile sub-command is used to generate  a LDIF file that can then be loaded into the LDAP server.

Any files modified during setup will backed up to /var/ldap/restore. Theses files are typically modified during setup are:
/etc/nsswitch.conf
/etc/defaultdomain (if it exists)
/var/ldap/ldap_client_file
/var/ldap/ldap_client_cred

The last to files above are created by ldapclient.

Steps to getting a Solaris client to work with a LDAP server.
1) Gather information that will be used, like IP addresses and host names.
 Note - You should capture the variables for the command before you run it. You will need it later.
2) Run ldapclient manual
3) If needed ldapclient mod

4) Test LDAP user accounts. this means login as the user.
5) If accounts works, then run the ldapclient genprofile command witch will create a ldif file. If you kept the full command from steps 1 or 2, just replace the word manual and/or mod with genprofile and run the command. Load the ldif in the LDAP server. This ldif file creates the the profile and agent entries.
6) If the proxy agent and profile are working, then all you need to do is run ldapclient init on all new Solaris clients.

Now as I said earlier this not a how to. This just a simple overview of the ldapclient command.
I hope this helps someone.

Setup no password sudo on RHEL

Sudo is a great tool if you want to run programs with elevated permissions. The problem is that by default you have to enter a password to run the commands. In this post I show you how to set up sudo in RHEL 5, so select users don't need to enter a password.





Open your favorite text editor and edit /etc/sudoers. Change the following lines to match what is below.
visudo
## Allows people in group wheel to run all commands
%wheel ALL=(ALL)  ALL

## Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL
Note - I found that you have to uncomment both of the items above, if you are using a gnome desktop. When only the bottom option is set, the the gnome admin apps will not launching, even after you enter the root password in the pop-up. So if you are not using the admin GUI apps then just uncomment the bottom.

Next add the user to the wheel group.
usermod -G wheel  user
The -G option adds the user to the wheel group. If you use -g instead the sysadmin group will be added as the primary group.

Now your user should be able to use sudo without having to use a password.

Simular pages on this blog:
Use sudo without a password

Use sudo without a password

These are my notes for setting up users so they can use sudo without a password. This how-to is for a system that already has sudo installed on a server. Basically what I'm doing here, is giving a group the ability to use sudo without a password and then assigning users to that group.

To edit the sudoers file, use the command below.

# visudo

Add the following line.
sysadmin ALL=(ALL) NOPASSWD: ALL
In this example the sysadmin group can now sudo without needing to use a password, but any group can be used.

Note - I use the sysadmin group for Solaris and the wheel group for RHEL & SLES.

Add the user rich to the sysadmin group.

# usermod -G sysadmin man

The -G option adds the user man to the sysadmin group. If you use -g instead the sysadmin group will be added as the primary group.

Following the steps above should now give access to sudo without needing to enter a password. If you have any questions or comments please post below.

Simular pages on this blog:
Setup no password sudo on RHEL

Delete User accounts

Here is a note on deleting user accounts from UNIX or Linux operating systems. These instructions are for local accounts only.

To remove or delete a user account run the command below. # userdel -r userThe -r option removes their home directory.

Related posts
Linux User Account Creation & Customization
Unlock locked accounts
Delete User accounts

How to enforce a 14 digit password in Solaris

By default, Solaris sets the password length to around 8 digits. Many IT security departments want at least 14 digit passwords. Longer passwords make the system more secure.

The Solaris 10 OS needs to have the following settings to enforce a 14 digit password.

In /etc/security/policy.conf change the following line from _unix_ to either 1 or md5.
CRYPT_DEFAULT =_unix_ To
CRYPT_DEFAULT =1
In /etc/default/passwd change the password length line from 8 to 14.
PASSLENGTH=8 To PASSLENGTH=14