USER CONFIGURATION  - Created Monday 20 October 2014

 

INFO

syscheck called by root

Contents of "/etc/passwd": Home
 

WARNING

Comments found in "/etc/passwd". This can cause a lot of problems with user management.

Sequence: 272  - Command: grep -v "\#" /etc/passwd

Username  Enc  UID  GID  Gecos  Home directory 
root  Root admin user  /home/root 
daemon    /etc 
bin    /bin 
sys    /usr/sys 
adm    /var/adm 
#This is a comment           
invscout  12    /var/adm/invscout 
esaadmin    /var/esa 
lpd  4294967294   
sshd  10  15    /home/sshd 
lp  11  11    /var/spool/lp 
co1217  12    /home/co1217 
pconsole  13    /var/adm/pconsole 
snapp  200  13  snapp login user  /usr/sbin/snapp 
ipsec  201    /etc/ipsec 
keytest  202    /home/keytest 
was  203  201    /opt/WebSphere70 
ga0112  204    /home/ga0112 
andrew  205  Andrew Cowan  /home/andrew 
mqm  206  202    /var/mqm 
andrew2  207    /home/andrew2 
radiusd  208  203    /home/radiusd 
idsldap  209  205    /home/idsldap 
www  211  206    /home/www 
wwwadm  212  206    /home/wwwadm 
ldapdb2  213  16    /home/ldapdb2 
sftp  990  125    /var/chroot00/./home/sftp 
nobody  4294967294  4294967294   
nagios  14  207    /home/nagios 
pmclient  214    /var/opt/quest/qpm4u/pmclient 
pmpolicy  215  209    /var/opt/quest/qpm4u/pmpolicy 
uptime  216  up.time agent user  /home/uptime 
lpar2rrd  217    /home/lpar2rrd 
postgres  16  211    /home/postgres 
user1  218    /home/user1 
dasusr1  219  101    /home/dasusr1 
db2inst1  220  102    /home/db2inst1 
db2fenc1  221  103    /home/db2fenc1 
idsinst  222  16    /home/idsinst 
mysql  64400  64400  MySQL Server  /home/mysql 
p520  223    /home/p520 
tester  224    /home/tester 
rrdcache  225  218  RRDcached User  /home/rrdcache 
cdat  226  Cluster Data Aggregation Tool  /home/cdat 
Contents of "/etc/group": Home

Sequence: 273  - Command: grep -v # /etc/group

Groupname  Passwd  GID  Members 
system  root,sshd,esaadmin,ga0112,co1217,pconsole,nagios,postgres 
staff  ipsec,keytest,was,ga0112,esaadmin,andrew,mqm,andrew2,radiusd,idsldap,www,w 
bin  root,bin,uptime 
sys  root,bin,sys 
adm  bin,adm,uptime 
mail   
security  root 
cron  root 
printq  lp 
audit  10  root 
lp  11  root,lp 
invscout  12  invscout 
snapp  13  snapp 
pconsole  14  pconsole 
sshd  15  sshd 
dbsysadm  16  root,ldapdb2 
perf  20   
shutdown  21   
ecs  28   
usr  100   
sftp  125   
ipsec  200   
wasgrp  201  was,co1217 
mqm  202  mqm,root 
radiusd  203  radiusd 
ptsc  204   
idsldap  205  idsldap,root,ldapdb2,idsinst 
www  206  www,wwwadm 
nobody  4294967294  nobody,lpd 
nagios  207  nagios 
pmlog  208  pmpolicy 
pmpolicy  209  pmpolicy 
wwwadm  210   
postgres  211  postgres 
dasadm1  101  dasusr1,db2inst1,ldapdb2,idsinst 
db2iadm1  102   
db2fadm1  103  db2fenc1 
mysql  64400  mysql 
wbpriv  88   
rrdcache  218  rrdcache 
Local user GECOS data: Home
 

INFO

All users should have some GECOS info

Sequence: 274  - Command: lsuser -a gecos ALL

Username  GECOS 
p520   
tester   
root  Root admin user 
daemon   
bin   
sys   
adm   
PATH statements in "/etc/profile": Home
 

INFO

$PATH Not set here

PATH statements in "/etc/environment": Home

Sequence: 276  - Command: grep PATH /etc/environment

PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/java6/jre/bin:/usr/java6/bin:/usr/local/bin:/usr
LOCPATH=/usr/lib/nls/loc
NLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.cat
MANPATH=${MANPATH}:/opt/ibm/director/man
		
Results of mkpasswd: Home

Sequence: 277  - Command: mkpasswd -f

/etc/passwd  --->  /etc/passwd.nm.idx
3004-777 	Entries processed: 44

/etc/passwd  --->  /etc/passwd.id.idx
3004-777 	Entries processed: 43

/etc/security/environ  --->  /etc/security/environ.idx
3004-777 	Entries processed: 6

/etc/security/limits  --->  /etc/security/limits.idx
3004-777 	Entries processed: 14

/etc/security/passwd  --->  /etc/security/passwd.idx
3004-777 	Entries processed: 31

/etc/security/lastlog  --->  /etc/security/lastlog.idx
3004-777 	Entries processed: 13

/etc/group  --->  /etc/group.nm.idx
3004-777 	Entries processed: 40

/etc/group  --->  /etc/group.id.idx
3004-777 	Entries processed: 40

/etc/security/group  --->  /etc/security/group.idx
3004-777 	Entries processed: 40

/etc/security/user  --->  /etc/security/user.idx
3004-777 	Entries processed: 45

		
Results of pwdck: Home

Sequence: 278  - Command: /usr/bin/pwdck -n ALL

3001-403  Bad line found in /etc/passwd:
"#This is a comment"
3001-414  The stanza for "#This" was not found in /etc/security/passwd.
3001-421  The user "#This" does not have a stanza in /etc/security/user.
3001-402  The user "cdat" has an invalid password field in /etc/passwd.
3001-414  The stanza for "cdat" was not found in /etc/security/passwd.
3001-408  The user "idsldap" has an invalid lastupdate attribute.
3001-402  The user "lpar2rrd" has an invalid password field in /etc/passwd.
3001-414  The stanza for "lpar2rrd" was not found in /etc/security/passwd.
3001-402  The user "mysql" has an invalid password field in /etc/passwd.
3001-414  The stanza for "mysql" was not found in /etc/security/passwd.
3001-402  The user "nagios" has an invalid password field in /etc/passwd.
3001-414  The stanza for "nagios" was not found in /etc/security/passwd.
3001-402  The user "p520" has an invalid password field in /etc/passwd.
3001-414  The stanza for "p520" was not found in /etc/security/passwd.
3001-402  The user "pconsole" has an invalid password field in /etc/passwd.
3001-414  The stanza for "pconsole" was not found in /etc/security/passwd.
3001-408  The user "pmclient" has an invalid lastupdate attribute.
3001-402  The user "radiusd" has an invalid password field in /etc/passwd.
3001-414  The stanza for "radiusd" was not found in /etc/security/passwd.
3001-402  The user "rrdcache" has an invalid password field in /etc/passwd.
3001-414  The stanza for "rrdcache" was not found in /etc/security/passwd.
3001-412  The user "test" was not found in /etc/passwd.
3001-402  The user "tester" has an invalid password field in /etc/passwd.
3001-414  The stanza for "tester" was not found in /etc/security/passwd.
3001-402  The user "user1" has an invalid password field in /etc/passwd.
3001-414  The stanza for "user1" was not found in /etc/security/passwd.
3001-402  The user "www" has an invalid password field in /etc/passwd.
3001-414  The stanza for "www" was not found in /etc/security/passwd.
3001-402  The user "wwwadm" has an invalid password field in /etc/passwd.
3001-414  The stanza for "wwwadm" was not found in /etc/security/passwd.
		
Results of usrck: Home

Sequence: 279  - Command: /usr/bin/usrck -n ALL

3001-631 Invalid or missing user name on password line
	#This is a comment.
3001-686 The user name test appears in /etc/security/lastlog
         but not in /etc/passwd.
3001-686 The user name aixguest appears in /etc/security/lastlog
         but not in /etc/passwd.
3001-686 The user name aixuser appears in /etc/security/lastlog
         but not in /etc/passwd.
3001-646 The user name test appears in /etc/security/user
         but not in /etc/passwd.
3001-662 User daemon is locked.
3001-662 User bin is locked.
3001-662 User sys is locked.
3001-662 User adm is locked.
3001-662 User invscout is locked.
3001-662 User esaadmin is locked.
3001-662 User lpd is locked.
3001-662 User sshd is locked.
3001-662 User lp is locked.
3001-662 User snapp is locked.
3001-662 User ipsec is locked.
3001-662 User keytest is locked.
3001-662 User mqm is locked.
3001-658 User andrew2 has an invalid
         authentication grammar "KRB5files".
3001-659 User andrew2 has an invalid
         authentication registry "KRB5files".
3001-661 There have been too many invalid login attempts by user andrew2.
3001-662 User radiusd is locked.
3001-662 User sftp is locked.
3001-662 User nobody is locked.
3001-648 The user p520 has no stanza in /etc/security/user.
3001-648 The user p520 has no stanza in /etc/security/user.
		
Results of grpck: Home

Sequence: 280  - Command: /usr/sbin/grpck -n ALL

None
		
Failed login attempts (Last 50): Home

Sequence: 281  - Command: /usr/sbin/acct/fwtmp < /var/adm/wtmp

root pts/1 1412666361 acer-laptop.bluefinch.local Tue Oct 09:19:21 
pts/0 pts/0 Tue Oct 15:27:59 CEST 2014 
pts/1 pts/1 Tue Oct 15:28:01 CEST 2014 
root pts/0 1412761534 acer-laptop.bluefinch.local Wed Oct 11:45:34 
root pts/1 1412767937 acer-laptop.bluefinch.local Wed Oct 13:32:17 
pts/1 pts/1 Wed Oct 17:12:58 CEST 2014 
pts/0 pts/0 Wed Oct 17:15:56 CEST 2014 
root pts/0 1412832426 acer-laptop.bluefinch.local Thu Oct 07:27:06 
root pts/1 1412833146 acer-laptop.bluefinch.local Thu Oct 07:39:06 
pts/1 pts/1 Thu Oct 16:48:29 CEST 2014 
pts/0 pts/0 Thu Oct 16:50:25 CEST 2014 
root pts/0 1412926640 fedora18_vm Fri Oct 10 09:37:20 
root pts/1 1412928880 fedora18_vm Fri Oct 10 10:14:40 
pts/1 pts/1 Fri Oct 10 15:44:19 CEST 2014 
pts/0 pts/0 Fri Oct 10 15:44:29 CEST 2014 
root pts/0 1412960331 fedora18_vm Fri Oct 10 18:58:51 
pts/0 pts/0 Fri Oct 10 19:00:19 CEST 2014 
shutdown lft0 Fri Oct 10 19:00:19 CEST 2014 
root pts/0 1413362805 acer-laptop.bluefinch.local Wed Oct 15 10:46:45 
pts/0 pts/0 Wed Oct 15 11:55:52 CEST 2014 
root pts/0 1413368760 acer-laptop.bluefinch.local Wed Oct 15 12:26:00 
root pts/1 1413368854 acer-laptop.bluefinch.local Wed Oct 15 12:27:34 
pts/0 pts/0 Wed Oct 15 16:34:43 CEST 2014 
pts/1 pts/1 Wed Oct 15 16:34:48 CEST 2014 
root pts/0 1413437303 acer-laptop.bluefinch.local Thu Oct 16 07:28:23 
root pts/1 1413439262 acer-laptop.bluefinch.local Thu Oct 16 08:01:02 
pts/1 pts/1 Thu Oct 16 15:38:39 CEST 2014 
pts/0 pts/0 Thu Oct 16 15:38:41 CEST 2014 
root pts/0 1413523259 acer-laptop.bluefinch.local Fri Oct 17 07:20:59 
root pts/1 1413526915 acer-laptop.bluefinch.local Fri Oct 17 08:21:55 
root pts/2 1413528039 acer-laptop.bluefinch.local Fri Oct 17 08:40:39 
pts/2 pts/2 Fri Oct 17 09:30:07 CEST 2014 
pts/1 pts/1 Fri Oct 17 09:30:33 CEST 2014 
pts/0 pts/0 Fri Oct 17 09:30:38 CEST 2014 
root pts/0 1413550743 acer-laptop.bluefinch.local Fri Oct 17 14:59:03 
root pts/1 1413551994 acer-laptop.bluefinch.local Fri Oct 17 15:19:54 
pts/0 pts/0 Fri Oct 17 16:33:46 CEST 2014 
pts/1 pts/1 Fri Oct 17 16:37:18 CEST 2014 
root pts/0 1413782032 acer-laptop.bluefinch.local Mon Oct 20 07:13:52 
root pts/1 1413782047 acer-laptop.bluefinch.local Mon Oct 20 07:14:07 
root pts/2 1413787341 acer-laptop.bluefinch.local Mon Oct 20 08:42:21 
pts/2 pts/2 Mon Oct 20 10:56:45 CEST 2014 
pts/1 pts/1 Mon Oct 20 10:56:57 CEST 2014 
pts/0 pts/0 Mon Oct 20 10:57:03 CEST 2014 
pts/0 pts/0 acer-laptop.bluefinch.local Mon Oct 20 11:04:54 CEST 
pts/0 pts/0 Mon Oct 20 11:04:55 CEST 2014 
root pts/0 1413795917 acer-laptop.bluefinch.local Mon Oct 20 11:05:17 
pts/0 pts/0 Mon Oct 20 11:11:35 CEST 2014 
root pts/0 1413796321 acer-laptop.bluefinch.local Mon Oct 20 11:12:01 
root pts/1 1413796702 acer-laptop.bluefinch.local Mon Oct 20 11:18:22 
Failed access attempts (Last 50): Home
 

WARNING

Failed access attempts could be evidence of an attempted break-in

Sequence: 282  - Command: /usr/sbin/acct/fwtmp < /etc/security/failedlogin

User  Tty  Source 
UNKNOWN_  ssh  12517452  0000  0000  1404476694  laptop 
tester  ssh  5898358  0000  0000  1405318654  laptop 
aixguest  pts/2  10944582  0000  0000  1405331212  p520-aix61.BlueFinch.local 
aixguest  pts/2  10944582  0000  0000  1405331224  p520-aix61.BlueFinch.local 
aixguest  pts/1  7077982  0000  0000  1405331307  p520-aix61.BlueFinch.local 
aixguest  ssh  10944726  0000  0000  1405333468  p520-aix61.bluefinch.local 
aixguest  ssh  11403376  0000  0000  1405338183  fedora18_vm 
aixguest  ssh  7078000  0000  0000  1405342631  p520-aix61.bluefinch.local 
aixguest  ssh  10354818  0000  0000  1405343655  p520-aix61.bluefinch.local 
UNKNOWN_  ssh  6357148  0000  0000  1405348428  p520-aix61.bluefinch.local 
UNKNOWN_  ssh  6357148  0000  0000  1405348435  p520-aix61.bluefinch.local 
UNKNOWN_  ssh  10354872  0000  0000  1405348920  p520-aix61.bluefinch.local 
aixguest  ssh  11075604  0000  0000  1405363929  p520-aix61.bluefinch.local 
aixguest  ssh  11075604  0000  0000  1405363934  p520-aix61.bluefinch.local 
aixguest  ssh  10813628  0000  0000  1405364039  p520-aix61.bluefinch.local 
aixguest  ssh  10813628  0000  0000  1405364046  p520-aix61.bluefinch.local 
aixguest  ssh  10813628  0000  0000  1405364047  p520-aix61.bluefinch.local 
aixguest  ssh  8126558  0000  0000  1405364058  p520-aix61.bluefinch.local 
aixguest  ssh  8126558  0000  0000  1405364060  p520-aix61.bluefinch.local 
UNKNOWN_  ssh  7930072  0000  0000  1405364791  p520-aix61.bluefinch.local 
root  FTP  13566118  0000  0000  1405677169  win-jir4mbrd2a9.bluefinch.local 
aixuser  ssh  11599980  0000  0000  1405925539  p520-aix61.bluefinch.local 
aixuser  ssh  9109514  0000  0000  1405925568  p520-aix61.bluefinch.local 
aixuser  ssh  9109532  0000  0000  1405925628  loopback 
aixguest  ssh  9109610  0000  0000  1405925865  acer-laptop.bluefinch.local 
aixguest  ssh  11796710  0000  0000  1405925928  acer-laptop.bluefinch.local 
aixguest  ssh  11796710  0000  0000  1405925932  acer-laptop.bluefinch.local 
UNKNOWN_  ssh  11599900  0000  0000  1405946781  loopback 
UNKNOWN_  ssh  11599900  0000  0000  1405946793  loopback 
root  ssh  6029530  0000  0000  1407217212  acer-laptop.bluefinch.local 
UNKNOWN_  ssh  11206710  0000  0000  1407935149  win-jir4mbrd2a9.bluefinch.local 
UNKNOWN_  ssh  11206710  0000  0000  1407935154  win-jir4mbrd2a9.bluefinch.local 
UNKNOWN_  ssh  11206710  0000  0000  1407935164  win-jir4mbrd2a9.bluefinch.local 
root  ssh  8323096  0000  0000  1409151320  fedora18_vm 
UNKNOWN_  ssh  14549050  0000  0000  1411536337  acer-laptop.bluefinch.local 
root  ssh  11075674  0000  0000  1411652270  acer-laptop.bluefinch.local 
UNKNOWN_  ssh  16187532  0000  0000  1411708779  acer-laptop.bluefinch.local 
root  ssh  4915422  0000  0000  1411823268  fedora18_vm 
root  lft0  5439652  0000  0000  1411989575  Mon 
UNKNOWN_  ssh  13500590  0000  0000  1412142974  acer-laptop.bluefinch.local 
UNKNOWN_  ssh  13500590  0000  0000  1412142977  acer-laptop.bluefinch.local 
UNKNOWN_  ssh  13500590  0000  0000  1412142983  acer-laptop.bluefinch.local 
UNKNOWN_  ssh  13697190  0000  0000  1412143232  acer-laptop.bluefinch.local 
UNKNOWN_  ssh  13697190  0000  0000  1412143234  acer-laptop.bluefinch.local 
UNKNOWN_  pts/1  13041756  0000  0000  1412143260  acer-laptop.bluefinch.local 
UNKNOWN_  pts/1  13041756  0000  0000  1412143265  acer-laptop.bluefinch.local 
root  pts/2  10092710  0000  0000  1412143376  acer-laptop.bluefinch.local 
root  ssh  11534524  0000  0000  1412143418  acer-laptop.bluefinch.local 
root  ssh  11534530  0000  0000  1412143468  acer-laptop.bluefinch.local 
root  ssh  14221564  0000  0000  1412252747  acer-laptop.bluefinch.local 
Failed access attempts (part-2) (Last 50): Home
 

WARNING

Failed access attempts could be evidence of an attempted break-in

Sequence: 1282  - Command: who -s /etc/security/failedlogin

User  Tty  Source 
UNKNOWN_  ssh  12517452  0000  0000  1404476694  laptop 
tester  ssh  5898358  0000  0000  1405318654  laptop 
aixguest  pts/2  10944582  0000  0000  1405331212  p520-aix61.BlueFinch.local 
aixguest  pts/2  10944582  0000  0000  1405331224  p520-aix61.BlueFinch.local 
aixguest  pts/1  7077982  0000  0000  1405331307  p520-aix61.BlueFinch.local 
aixguest  ssh  10944726  0000  0000  1405333468  p520-aix61.bluefinch.local 
aixguest  ssh  11403376  0000  0000  1405338183  fedora18_vm 
aixguest  ssh  7078000  0000  0000  1405342631  p520-aix61.bluefinch.local 
aixguest  ssh  10354818  0000  0000  1405343655  p520-aix61.bluefinch.local 
UNKNOWN_  ssh  6357148  0000  0000  1405348428  p520-aix61.bluefinch.local 
UNKNOWN_  ssh  6357148  0000  0000  1405348435  p520-aix61.bluefinch.local 
UNKNOWN_  ssh  10354872  0000  0000  1405348920  p520-aix61.bluefinch.local 
aixguest  ssh  11075604  0000  0000  1405363929  p520-aix61.bluefinch.local 
aixguest  ssh  11075604  0000  0000  1405363934  p520-aix61.bluefinch.local 
aixguest  ssh  10813628  0000  0000  1405364039  p520-aix61.bluefinch.local 
aixguest  ssh  10813628  0000  0000  1405364046  p520-aix61.bluefinch.local 
aixguest  ssh  10813628  0000  0000  1405364047  p520-aix61.bluefinch.local 
aixguest  ssh  8126558  0000  0000  1405364058  p520-aix61.bluefinch.local 
aixguest  ssh  8126558  0000  0000  1405364060  p520-aix61.bluefinch.local 
UNKNOWN_  ssh  7930072  0000  0000  1405364791  p520-aix61.bluefinch.local 
root  FTP  13566118  0000  0000  1405677169  win-jir4mbrd2a9.bluefinch.local 
aixuser  ssh  11599980  0000  0000  1405925539  p520-aix61.bluefinch.local 
aixuser  ssh  9109514  0000  0000  1405925568  p520-aix61.bluefinch.local 
aixuser  ssh  9109532  0000  0000  1405925628  loopback 
aixguest  ssh  9109610  0000  0000  1405925865  acer-laptop.bluefinch.local 
aixguest  ssh  11796710  0000  0000  1405925928  acer-laptop.bluefinch.local 
aixguest  ssh  11796710  0000  0000  1405925932  acer-laptop.bluefinch.local 
UNKNOWN_  ssh  11599900  0000  0000  1405946781  loopback 
UNKNOWN_  ssh  11599900  0000  0000  1405946793  loopback 
root  ssh  6029530  0000  0000  1407217212  acer-laptop.bluefinch.local 
UNKNOWN_  ssh  11206710  0000  0000  1407935149  win-jir4mbrd2a9.bluefinch.local 
UNKNOWN_  ssh  11206710  0000  0000  1407935154  win-jir4mbrd2a9.bluefinch.local 
UNKNOWN_  ssh  11206710  0000  0000  1407935164  win-jir4mbrd2a9.bluefinch.local 
root  ssh  8323096  0000  0000  1409151320  fedora18_vm 
UNKNOWN_  ssh  14549050  0000  0000  1411536337  acer-laptop.bluefinch.local 
root  ssh  11075674  0000  0000  1411652270  acer-laptop.bluefinch.local 
UNKNOWN_  ssh  16187532  0000  0000  1411708779  acer-laptop.bluefinch.local 
root  ssh  4915422  0000  0000  1411823268  fedora18_vm 
root  lft0  5439652  0000  0000  1411989575  Mon 
UNKNOWN_  ssh  13500590  0000  0000  1412142974  acer-laptop.bluefinch.local 
UNKNOWN_  ssh  13500590  0000  0000  1412142977  acer-laptop.bluefinch.local 
UNKNOWN_  ssh  13500590  0000  0000  1412142983  acer-laptop.bluefinch.local 
UNKNOWN_  ssh  13697190  0000  0000  1412143232  acer-laptop.bluefinch.local 
UNKNOWN_  ssh  13697190  0000  0000  1412143234  acer-laptop.bluefinch.local 
UNKNOWN_  pts/1  13041756  0000  0000  1412143260  acer-laptop.bluefinch.local 
UNKNOWN_  pts/1  13041756  0000  0000  1412143265  acer-laptop.bluefinch.local 
root  pts/2  10092710  0000  0000  1412143376  acer-laptop.bluefinch.local 
root  ssh  11534524  0000  0000  1412143418  acer-laptop.bluefinch.local 
root  ssh  11534530  0000  0000  1412143468  acer-laptop.bluefinch.local 
root  ssh  14221564  0000  0000  1412252747  acer-laptop.bluefinch.local 
Successful logins (Last 50): Home

Sequence: 1283  - Command: who /var/adm/wtmp | head -50

User  Tty  MM  DD  HH:MM  Source 
root  ftp2949146  Oct  06  21:01  (192.168.1.69) 
root  pts/0  Oct  06  21:05  (192.168.1.69) 
root  ftp4718648  Oct  06  21:17  (192.168.1.69) 
root  pts/1  Oct  06  22:10  (192.168.1.69) 
root  pts/0  Oct  07  16:33  (192.168.1.69) 
sftp  pts/1  Oct  07  16:46  (loopback) 
root  ftp4915454  Oct  07  17:48  (192.168.1.69) 
root  pts/1  Oct  07  17:58  (192.168.1.69) 
root  pts/1  Oct  07  21:59  (192.168.1.69) 
root  pts/0  Oct  10  17:31  (192.168.1.69) 
root  pts/0  Oct  10  20:36  (192.168.1.69) 
root  pts/1  Oct  10  20:44  (192.168.1.69) 
root  pts/2  Oct  10  22:06  (192.168.1.69) 
root  pts/0  Oct  11  14:52  (192.168.1.66) 
root  pts/0  Oct  11  17:01  (192.168.1.66) 
root  pts/0  Oct  11  17:02  (192.168.1.66) 
root  pts/0  Oct  11  18:59  (192.168.1.66) 
root  pts/0  Oct  11  18:59  (192.168.1.66) 
root  pts/1  Oct  11  19:57  (192.168.1.66) 
root  pts/0  Oct  12  21:48  (192.168.1.66) 
root  pts/1  Oct  13  00:07  (192.168.1.66) 
root  lft0  Oct  13  00:34   
root  lft0  Oct  13  01:31   
root  lft0  Oct  13  02:18   
root  lft0  Oct  15  16:15   
root  lft0  Oct  31  13:15   
root  pts/0  Oct  31  13:19  (192.168.1.43) 
root  pts/0  Oct  31  13:25  (192.168.1.55) 
root  lft0  Oct  31  13:51   
root  pts/1  Oct  31  13:52  (localhost) 
root  pts/1  Oct  31  14:33  (192.168.1.43) 
root  pts/2  Oct  31  14:37  (192.168.1.55) 
root  pts/0  Oct  31  14:51  (192.168.1.48) 
root  lft0  Oct  31  15:01   
root  pts/0  Oct  31  15:25  (192.168.1.48) 
root  pts/0  Oct  31  15:27  (192.168.1.48) 
root  pts/0  Oct  31  15:49  (192.168.1.55) 
root  pts/0  Nov  01  11:05  (192.168.1.55) 
root  pts/1  Nov  01  12:49  (192.168.1.55) 
root  pts/1  Nov  01  12:59  (192.168.1.55) 
root  pts/2  Nov  01  13:03  (192.168.1.48) 
root  pts/3  Nov  01  13:07  (192.168.1.48) 
root  pts/3  Nov  01  13:07  (192.168.1.48) 
root  pts/3  Nov  01  13:07  (192.168.1.48) 
root  pts/3  Nov  01  13:21  (192.168.1.48) 
root  pts/3  Nov  01  13:22  (192.168.1.48) 
root  pts/3  Nov  01  13:23  (192.168.1.48) 
root  pts/2  Nov  01  13:25  (192.168.1.48) 
root  pts/2  Nov  01  13:27  (192.168.1.48) 
root  lft0  Nov  01  13:29   
Switch-user/sudo (Last 50): Home

Sequence: 1284  - Command: tail -50 /var/adm/sulog

SU  Date  Time  OK  Tty  User_to_User 
SU  10/15  17:15  tty??  root-ldapdb2 
SU  10/15  17:15  tty??  root-ldapdb2 
SU  10/15  17:15  tty??  root-ldapdb2 
SU  10/15  17:15  tty??  root-ldapdb2 
SU  10/15  17:15  tty??  root-ldapdb2 
SU  10/15  17:15  tty??  root-db2inst1 
SU  10/15  17:15  tty??  root-db2fenc1 
SU  10/15  17:15  tty??  root-ldapdb2 
SU  10/15  17:15  tty??  root-db2inst1 
SU  10/15  17:15  tty??  root-db2fenc1 
SU  10/15  17:15  tty??  root-ldapdb2 
SU  10/15  17:15  tty??  root-db2inst1 
SU  10/15  17:15  tty??  root-db2fenc1 
SU  10/15  17:15  tty??  root-ldapdb2 
SU  10/15  17:15  tty??  root-db2inst1 
SU  10/15  17:15  tty??  root-db2fenc1 
SU  10/15  17:15  tty??  root-ldapdb2 
SU  10/15  17:15  tty??  root-db2inst1 
SU  10/15  17:15  tty??  root-db2fenc1 
SU  10/15  17:15  tty??  root-ldapdb2 
SU  10/15  17:15  tty??  root-db2inst1 
SU  10/15  17:15  tty??  root-db2fenc1 
SU  10/16  14:00  pts/0  root-was 
SU  10/17  09:51  tty??  root-ldapdb2 
SU  10/17  09:51  tty??  root-ldapdb2 
SU  10/17  09:51  tty??  root-ldapdb2 
SU  10/17  09:51  tty??  root-ldapdb2 
SU  10/17  09:51  tty??  root-ldapdb2 
SU  10/17  09:51  tty??  root-ldapdb2 
SU  10/17  09:51  tty??  root-ldapdb2 
SU  10/17  09:51  tty??  root-ldapdb2 
SU  10/17  09:51  tty??  root-db2inst1 
SU  10/17  09:52  tty??  root-db2fenc1 
SU  10/17  09:52  tty??  root-ldapdb2 
SU  10/17  09:52  tty??  root-db2inst1 
SU  10/17  09:52  tty??  root-db2fenc1 
SU  10/17  09:52  tty??  root-ldapdb2 
SU  10/17  09:52  tty??  root-db2inst1 
SU  10/17  09:52  tty??  root-db2fenc1 
SU  10/17  09:52  tty??  root-ldapdb2 
SU  10/17  09:52  tty??  root-db2inst1 
SU  10/17  09:52  tty??  root-db2fenc1 
SU  10/17  09:52  tty??  root-ldapdb2 
SU  10/17  09:52  tty??  root-db2inst1 
SU  10/17  09:52  tty??  root-db2fenc1 
SU  10/17  09:52  tty??  root-ldapdb2 
SU  10/17  09:52  tty??  root-db2inst1 
SU  10/17  09:52  tty??  root-db2fenc1 
SU  10/20  12:13  pts/1  root-nagios 
SU  10/20  12:14  pts/1  root-ldapdb2 
System role attributes: Home

Sequence: 283  - Command: lsrole -f ALL

Parameter  Setting 
AccountAdmin:   
authorizations  aix.security.group,aix.security.user 
rolelist   
groups   
visibility 
screens 
dfltmsg  User and Group Account Administration 
msgcat  role_desc.cat 
msgnum 
msgset 
auth_mode  INVOKER 
id 
   
BackupRestore:   
authorizations  aix.fs.manage.backup,aix.fs.manage.restore 
rolelist   
groups   
visibility 
screens 
dfltmsg  Backup and Restore Administration 
msgcat  role_desc.cat 
msgnum 
msgset 
auth_mode  INVOKER 
id 
   
CdatMaster:   
authorizations  aix.fs.manage.change,aix.ras.pureScale,ibm.ps.client.bind 
rolelist   
groups   
visibility 
screens 
dfltmsg   
msgcat   
auth_mode  INVOKER 
id  19 
   
DomainAdmin:   
authorizations  aix.security.kerberos,aix.security.ldap,aix.security.nis,aix.security.pki 
rolelist   
groups   
visibility 
screens 
dfltmsg  Remote Domain Administration 
msgcat  role_desc.cat 
msgnum 
msgset 
auth_mode  INVOKER 
id 
   
FSAdmin:   
authorizations  aix.fs.manage.change,aix.fs.manage.create,aix.fs.manage.debug,aix.fs.manag 
rolelist   
groups   
visibility 
screens 
dfltmsg  File System Administration 
msgcat  role_desc.cat 
msgnum 
msgset 
auth_mode  INVOKER 
id 
   
SecPolicy:   
authorizations  aix.security.audit,aix.security.auth,aix.security.cmd,aix.security.config, 
rolelist   
groups   
visibility 
screens 
dfltmsg  Security Policy Administration 
msgcat  role_desc.cat 
msgnum 
msgset 
auth_mode  INVOKER 
id 
   
SysBoot:   
authorizations  aix.system.boot.create,aix.system.boot.halt,aix.system.boot.info,aix.syste 
rolelist   
groups   
visibility 
screens 
dfltmsg  System Boot Administration 
msgcat  role_desc.cat 
msgnum 
msgset 
auth_mode  INVOKER 
id 
   
SysConfig:   
authorizations  aix.system.boot.create,aix.system.config.bindintcpu,aix.system.config.cons 
rolelist   
groups   
visibility 
screens 
dfltmsg  System Configuration Administration 
msgcat  role_desc.cat 
msgnum  10 
msgset 
auth_mode  INVOKER 
id  10 
   
auditadm:   
authorizations  aix.security.audit,aix.security.user.audit,aix.security.role.audit 
rolelist   
groups   
visibility 
screens 
dfltmsg  Audit Administrator 
msgcat  role_desc.cat 
msgnum  15 
msgset 
auth_mode  INVOKER 
id  16 
   
fsadm:   
authorizations  aix.fs.manage 
rolelist   
groups   
visibility 
screens 
dfltmsg  File System Administrator 
msgcat  role_desc.cat 
msgnum  13 
msgset 
auth_mode  INVOKER 
id  14 
   
isso:   
authorizations  aix.device,aix.fs.chroot,aix.fs.manage.export,aix.fs.stat,aix.network,aix. 
rolelist  DomainAdmin,SecPolicy,SysConfig 
groups   
visibility 
screens 
dfltmsg  Information System Security Officer 
msgcat  role_desc.cat 
msgnum 
msgset 
auth_mode  INVOKER 
id 
   
pcons_andrew:   
authorizations  aix 
rolelist   
groups   
visibility 
screens 
dfltmsg  DO NOT MODIFY: This role is managed by the IBM Systems Director Console fo 
msgcat   
auth_mode  INVOKER 
id  11 
   
pkgadm:   
authorizations  aix.system.install,aix.system.nim 
rolelist   
groups   
visibility 
screens 
dfltmsg  Software Package Administrator 
msgcat  role_desc.cat 
msgnum  16 
msgset 
auth_mode  INVOKER 
id  17 
   
sa:   
authorizations  aix.system.config.acct,aix.system.config.cron,aix.system.config.src,aix.sy 
rolelist  FSAdmin,AccountAdmin 
groups   
visibility 
screens 
dfltmsg  System Administrator 
msgcat  role_desc.cat 
msgnum 
msgset 
auth_mode  INVOKER 
id 
   
secadm:   
authorizations  aix.security.group.change,aix.security.role.assign,aix.security.domains.as 
rolelist   
groups   
visibility 
screens 
dfltmsg  Security Administrator 
msgcat  role_desc.cat 
msgnum  11 
msgset 
auth_mode  INVOKER 
id  12 
   
so:   
authorizations  aix.proc.kill,aix.ras,aix.system.config.init,aix.system.config.wlm 
rolelist  BackupRestore,SysBoot 
groups   
visibility 
screens 
dfltmsg  System Operator 
msgcat  role_desc.cat 
msgnum 
msgset 
auth_mode  INVOKER 
id 
   
svcadm:   
authorizations  aix.system.config.cron,aix.system.config.init,aix.system.config.inittab,ai 
rolelist   
groups   
visibility 
screens 
dfltmsg  Service Administrator 
msgcat  role_desc.cat 
msgnum  14 
msgset 
auth_mode  INVOKER 
id  15 
   
sysop:   
authorizations  aix.system.boot,aix.system.config.diag,aix.system.stat,aix.device.monitor, 
rolelist   
groups   
visibility 
screens 
dfltmsg  System Operator 
msgcat  role_desc.cat 
msgnum  17 
msgset 
auth_mode  INVOKER 
id  18 
   
useradm:   
authorizations  aix.security.user.create.normal,aix.security.user.remove.normal,aix.securi 
rolelist   
groups   
visibility 
screens 
dfltmsg  User Administrator 
msgcat  role_desc.cat 
msgnum  12 
msgset 
auth_mode  INVOKER 
id  13 
   
User roles: Home

Sequence: 284  - Command: lsuser -a roles root

root roles=
		
Default user attributes: Home

Sequence: 285  - Command: grep -p default: /etc/security/user

Parameter  Setting 
default:   
admin   false 
login   true 
su   true 
daemon   true 
rlogin   true 
sugroups   ALL 
admgroups    
ttys   ALL 
auth1   SYSTEM 
auth2   NONE 
tpath   nosak 
umask   77 
expires  
registry   LDAP  
SYSTEM   "KRB5LDAP OR LDAP OR files"  
logintimes    
pwdwarntime   5  
account_locked   false 
loginretries  
histexpire   26 
histsize   4  
minage  
maxage   52 
maxexpired  
minalpha  
minother  
minlen  
mindiff  
maxrepeats  
dictionlist   /etc/security/aixpert/dictionary/English 
pwdchecks    
default_roles    
efs_keystore_access   file 
efs_adminks_access   file 
efs_initialks_mode   admin 
efs_allowksmodechangebyuser   yes 
efs_keystore_algo   RSA_1024 
efs_file_algo   AES_128_CBC 
core_compress   on 
   
Default user limits: Home

Sequence: 286  - Command: grep -p default: /etc/security/limits

Parameter  Setting 
default:   
fsize   2097151 
core   2097151 
cpu   -1 
data   262144 
rss   65536 
stack   65536 
nofiles   2000 
   
Users with chroot-jail home directories: Home

Sequence: 287  - Command: lsuser -R files -a gecos home ALL

Username  Jailed Directory 
None   
Users registry and admin status: Home

Sequence: 288  - Command: lsuser -R files -a admin SYSTEM registry ALL

Username  Admin  System  Registry 
root  true  compat  files 
daemon  true  KRB5LDAP OR LDAP OR files  LDAP 
bin  true  KRB5LDAP OR LDAP OR files  LDAP 
sys  true  KRB5LDAP OR LDAP OR files  LDAP 
adm  true  KRB5LDAP OR LDAP OR files  LDAP 
#This is a comment  false  KRB5LDAP OR LDAP OR files  LDAP 
invscout  true  KRB5LDAP OR LDAP OR files  LDAP 
esaadmin  true  KRB5LDAP OR LDAP OR files  files 
lpd  true  KRB5LDAP OR LDAP OR files  LDAP 
sshd  true  KRB5LDAP OR LDAP OR files  LDAP 
lp  false  KRB5LDAP OR LDAP OR files  LDAP 
co1217  true  KRB5LDAP OR LDAP OR files  LDAP 
pconsole  true  KRB5LDAP OR LDAP OR files  LDAP 
snapp  false  NONE  files 
ipsec  false  KRB5LDAP OR LDAP OR files  LDAP 
keytest  false  KRB5LDAP OR LDAP OR files  LDAP 
was  false  KRB5LDAP OR LDAP OR files  LDAP 
ga0112  true  compat  files 
andrew  false  compat  files 
mqm  false  KRB5LDAP OR LDAP OR files  LDAP 
andrew2  false  KRB5files  KRB5files 
radiusd  false  KRB5LDAP OR LDAP OR files  LDAP 
idsldap  false  KRB5LDAP OR LDAP OR files  LDAP 
www  false  KRB5LDAP OR LDAP OR files  LDAP 
wwwadm  false  KRB5LDAP OR LDAP OR files  LDAP 
ldapdb2  false  compat  files 
sftp  false  KRB5LDAP OR LDAP OR files  LDAP 
nobody  true  KRB5LDAP OR LDAP OR files  LDAP 
nagios  true  KRB5LDAP OR LDAP OR files  LDAP 
pmclient  false  KRB5LDAP OR LDAP OR files  LDAP 
pmpolicy  false  KRB5LDAP OR LDAP OR files  LDAP 
uptime  false  KRB5LDAP OR LDAP OR files  LDAP 
lpar2rrd  false  KRB5LDAP OR LDAP OR files  LDAP 
postgres  true  KRB5LDAP OR LDAP OR files  LDAP 
user1  false  LDAP  LDAP 
dasusr1  false  KRB5LDAP OR LDAP OR files  LDAP 
db2inst1  false  KRB5LDAP OR LDAP OR files  LDAP 
db2fenc1  false  KRB5LDAP OR LDAP OR files  LDAP 
idsinst  false  KRB5LDAP OR LDAP OR files  LDAP 
mysql  false  KRB5LDAP OR LDAP OR files  LDAP 
p520  false  KRB5Afiles  KRB5Afiles 
tester  false  KRB5Afiles  KRB5Afiles 
rrdcache  false  KRB5LDAP OR LDAP OR files  LDAP 
cdat  false  KRB5LDAP OR LDAP OR files  LDAP 
Users with non-standard sugroups: Home

Sequence: 289  - Command: lsuser -R files -a gecos sugroups ALL

None
		
Default user Login config: Home

Sequence: 290  - Command: grep -p default: /etc/security/login.cfg

Parameter  Setting 
default:   
sak_enabled   false 
logintimes    
logindisable   10 
logininterval   300 
loginreenable   360 
logindelay   5  
herald   "Unauthorized use of this system is prohibited.\n\rDon't mess with the Fi 
   
Maximum username length: Home

Sequence: 291  - Command: getconf LOGIN_NAME_MAX

9
		
 

INFO

The username length can be increase up to 254 characters (reboot required) using: "chdev -l sys0 -a max_logname=255"

System Password Algorithm: Home

Sequence: 292  - Command: grep -p usw: /etc/security/login.cfg

	pwd_algorithm = crypt
		
User password algorithms: Home

Sequence: 1292  - Command: egrep -v "^*" /etc/security/pwdalg.cfg

smd5:     
lpa_module   /usr/lib/security/smd5   
     
ssha1:     
lpa_module   /usr/lib/security/ssha   
lpa_options   algorithm  sha1 
     
ssha256:     
lpa_module   /usr/lib/security/ssha   
lpa_options   algorithm  sha256 
     
ssha512:     
lpa_module   /usr/lib/security/ssha   
lpa_options   algorithm  sha512 
     
sblowfish:     
lpa_module   /usr/lib/security/sblowfish   
 

INFO

Non-standard password encryption algorithm ( pwd_algorithm = crypt) set in "/etc/security/login.cfg":

User security methods: Home

Sequence: 293  - Command: cat /usr/lib/security/methods.cfg

Authentication  Program  Options   
       
LDAP:       
program   /usr/lib/security/LDAP     
program_64   /usr/lib/security/LDAP64     
       
NIS:       
program   /usr/lib/security/NIS     
program_64   /usr/lib/security/NIS_64     
       
DCE:       
program   /usr/lib/security/DCE     
       
PAM:       
program   /usr/lib/security/PAM     
       
PAMfiles:       
options   auth  PAM,db  BUILTIN 
       
KRB5:       
program   /usr/lib/security/KRB5     
program_64   /usr/lib/security/KRB5_64     
options   authonly,is_kadmind_compat  no,tgt_verify  no,allow_expired_pwd 
       
KRB5LDAP:       
options   auth  KRB5,db  LDAP 
       
KRB5A:       
program   /usr/lib/security/KRB5A     
program_64   /usr/lib/security/KRB5A_64     
options   authonly,is_kadmind_compat  no,tgt_verify  no 
       
KRB5Afiles:       
options   db  BUILTIN,auth  KRB5A 
program   /usr/lib/security/KRB5A     
program_64   /usr/lib/security/KRB5A_64     
       
User creation defaults: Home

Sequence: 294  - Command: cat /usr/lib/security/mkuser.default

Parameter  Setting 
user:   
pgrp   staff 
groups   staff 
shell   /usr/bin/ksh 
home   /home/$USER  
auditclasses   general  
   
admin:   
pgrp   system 
groups   system 
shell   /usr/bin/ksh 
home   /home/$USER  
   
Extended user history (timestamps): Home

Sequence: 295  - Command: grep EXTENDED_HISTORY /etc/environment

Not set
		
User files: Home

".profile" files:

Sequence: 296  - Command: cat .profile

/etc/security/.profile
/export/eznim/spot/610spot_res/usr/lpp/bos/inst_root/etc/security/.profile
/home/aixguest/.profile
/home/aixuser/.profile
/home/aixuser/.profile#export
/home/andrew/.profile
/home/andrew2/.profile
/home/cdat/.profile
/home/co1217/.profile
/home/dasusr1/.profile
/home/db2fenc1/.profile
/home/db2inst1/.profile
/home/ga0112/.profile
/home/idsinst/.profile
/home/idsldap/.profile
/home/keytest/.profile
/home/ldapdb2/.profile
/home/ldapdb2.save/ldapdb2.save/.profile
/home/lpar2rrd/.profile
/home/mysql/.profile
/home/nagios/.profile
/home/p520/.profile
/home/postgres/.profile
/home/root/.profile
/home/rrdcache/.profile
/home/sshd/.profile
/home/test/.profile
/home/tester/.profile
/home/user1/.profile
/home/was/.profile
/home/www/.profile
/home/wwwadm/.profile
/opt/ihs7/bin/none/.profile
/opt/nagios-plugin/.profile
/usr/lpp/bos/inst_root/etc/security/.profile
/usr/lpp/sysmgt.pconsole/sysmgt.pconsole.rte/6.1.7.0/inst_root/var/adm/pconsole/.profile
/usr/lpp/sysmgt.pconsole/sysmgt.pconsole.rte/6.1.7.1/inst_root/var/adm/pconsole/.profile
/usr/lpp/sysmgt.pconsole/sysmgt.pconsole.rte/6.1.7.15/inst_root/var/adm/pconsole/.profile
/usr/lpp/sysmgt.pconsole/sysmgt.pconsole.rte/6.1.7.2/inst_root/var/adm/pconsole/.profile
/usr/lpp/sysmgt.pconsole/sysmgt.pconsole.rte/6.1.8.0/inst_root/var/adm/pconsole/.profile
/usr/lpp/sysmgt.pconsole/sysmgt.pconsole.rte/6.1.8.15/inst_root/var/adm/pconsole/.profile
/usr/lpp/sysmgt.pconsole/sysmgt.pconsole.rte/6.1.9.0/inst_root/var/adm/pconsole/.profile
/usr/sbin/snapp/.profile
/var/adm/invscout/.profile
/var/adm/pconsole/.profile
/var/chroot00/home/sftp/.profile
/var/esa/.profile
/var/mqm/.profile
/var/opt/quest/qpm4u/pmclient/.profile
/var/opt/quest/qpm4u/pmpolicy/.profile
/var/spool/uucppublic/.profile
		

".kshrc" files:

Sequence: 296  - Command: cat .profile

None found
		

".kshext" files:

Sequence: 296  - Command: cat .profile

None found
		

".bash_profile" files:

Sequence: 296  - Command: cat .profile

/opt/RPM_inst_root/var/lib/postgresql/.bash_profile
/var/lib/postgresql/.bash_profile
		

".bashrc" files:

Sequence: 296  - Command: cat .profile

None found
		

".plan" files:

Sequence: 296  - Command: cat .profile

/home/andrew/.plan
/home/root/.plan
		

".forward" files:

Sequence: 296  - Command: cat .profile

None found
		

".gpg.conf" files:

Sequence: 296  - Command: cat .profile

None found
		

"gpg.conf-2" files:

Sequence: 296  - Command: cat .profile

None found
		

".gnupg" files:

Sequence: 296  - Command: cat .profile

/home/root/.gnupg
		
System allowed shells: Home
 

INFO

This list should include /bin/false or /usr/bin/false


Sequence: 297  - Command: grep -p usw: /etc/security/login.cfg

Contents of USW stanza in "/etc/security/login.cfg":
/bin/sh /bin/bsh /bin/csh /bin/ksh /bin/tsh /bin/ksh93 /usr/bin/sh /usr/bin/bsh /usr/bin/csh /usr/bin/ksh /usr/bin/tsh /usr/bin/ksh93 /usr/bin/rksh /usr/bin/rksh93 /usr/sbin/sliplogin /usr/sbin/snappd
Contents of "/etc/shells":
/bin/csh /bin/ksh /bin/psh /bin/tsh /bin/bsh /usr/bin/csh /usr/bin/ksh /usr/bin/psh /usr/bin/tsh /usr/bin/bsh /opt/freeware/bin/bash /opt/freeware/bin/bash_64
".netrc" files: Home

Sequence: 298  - Command: find / -fstype jfs -o -fstype jfs2 -name .netrc -ls

None found
		
".rhosts" files: Home

Sequence: 299  - Command: find / -name .rhosts

None found
		
System authentication methods "/usr/lib/security/methods.cfg" configuration: Home

Sequence: 300  - Command: cat /usr/lib/security/methods.cfg

LDAP:       
program   /usr/lib/security/LDAP     
program_64   /usr/lib/security/LDAP64     
NIS:       
program   /usr/lib/security/NIS     
program_64   /usr/lib/security/NIS_64     
       
DCE:       
program   /usr/lib/security/DCE     
PAM:       
program   /usr/lib/security/PAM     
PAMfiles:       
options   auth  PAM,db  BUILTIN 
KRB5:       
program   /usr/lib/security/KRB5     
program_64   /usr/lib/security/KRB5_64     
options   authonly,is_kadmind_compat  no,tgt_verify  no,allow_expired_pwd 
KRB5LDAP:       
options   auth  KRB5,db  LDAP 
KRB5A:       
program   /usr/lib/security/KRB5A     
program_64   /usr/lib/security/KRB5A_64     
options   authonly,is_kadmind_compat  no,tgt_verify  no 
KRB5Afiles:       
options   db  BUILTIN,auth  KRB5A 
program   /usr/lib/security/KRB5A     
program_64   /usr/lib/security/KRB5A_64     
User password history: Home

Sequence: 301  - Command: lsuser -R files -a ALL

Local  Password 
Username  Last reset 
#This is a comment   
adm  Mon Oct 20 12:19:04 2014 
   
andrew   
andrew2   
bin   
cdat   
co1217  Mon Oct 20 12:19:05 2014 
   
daemon  Mon Oct 20 12:19:05 2014 
   
dasusr1  Mon Oct 20 12:19:05 2014 
   
db2fenc1  Mon Oct 20 12:19:05 2014 
   
db2inst1  Mon Oct 20 12:19:05 2014 
   
esaadmin  Mon Oct 20 12:19:05 2014 
   
ga0112  Mon Oct 20 12:19:05 2014 
   
idsinst  Mon Oct 20 12:19:05 2014 
   
idsldap  Mon Oct 20 12:19:05 2014 
   
invscout   
ipsec   
keytest   
ldapdb2  Mon Oct 20 12:19:05 2014 
   
lp   
lpar2rrd   
lpd   
mqm  Mon Oct 20 12:19:05 2014 
   
mysql   
nagios   
nobody   
p520   
pconsole   
pmclient  Mon Oct 20 12:19:05 2014 
   
pmpolicy  Mon Oct 20 12:19:05 2014 
   
postgres  Mon Oct 20 12:19:05 2014 
   
radiusd   
root   
rrdcache   
sftp   
snapp  Mon Oct 20 12:19:05 2014 
   
sshd   
sys   
tester   
uptime  Mon Oct 20 12:19:05 2014 
   
user1   
was   
www   
wwwadm   
LDAP users by group: Home

Sequence: 302  - Command: lsldap -a group cn=netmtsp_sh


Group: Able
Group: Unix_Groups
Current security setting (fpm): Home

Sequence: 303  - Command: /usr/bin/fpm -l default -c

/usr/lpp/diagnostics/bin/diagela_exec does not have the correct default setting.
/usr/websm/bin/startrefresh does not have the correct default setting.
/usr/sbin/chcons does not have the correct default setting.
/usr/sbin/diag_exec does not have the correct default setting.
/usr/sbin/exec_shutdown does not have the correct default setting.
/usr/sbin/lchlvcopy does not have the correct default setting.
/usr/sbin/lparsetres does not have the correct default setting.
/usr/sbin/lscons does not have the correct default setting.
/usr/sbin/swcons does not have the correct default setting.
/usr/sbin/mtrace does not have the correct default setting.
/usr/bin/confsrc does not have the correct default setting.
/usr/bin/lssrc does not have the correct default setting.
/usr/websm/bin/startrefresh does not have the correct default setting.
		
SUID settings required for default level security: Home

Sequence: 304  - Command: /usr/bin/fpm -l default -p

/usr/bin/fpm will restore the AIX file permissions to the installed settings and any customized defaults liste
 /usr/bin/fpm -l default -f /var/security/fpm/log/ 
Where  is a previously saved timestamped file representing this system's file permission state at a p
chmod 4550 /usr/lpp/diagnostics/bin/Dctrl
chmod 4550 /usr/lpp/diagnostics/bin/diagTasksWebSM
chmod 0550 /usr/lpp/diagnostics/bin/diagela
chmod 4550 /usr/lpp/diagnostics/bin/diagela_exec
chmod 4555 /usr/lpp/diagnostics/bin/diagrpt
chmod 4550 /usr/lpp/diagnostics/bin/diagrto
chmod 4550 /usr/lpp/diagnostics/bin/utape
chmod 4550 /usr/lpp/diagnostics/bin/uspchrp
chmod 4550 /usr/lpp/diagnostics/bin/update_flash
chmod 4550 /usr/lpp/diagnostics/bin/uesensor
chmod 4550 /usr/lpp/diagnostics/bin/usysident
chmod 4755 /usr/lpp/X11/bin/aixterm
chmod 4755 /usr/lpp/X11/bin/xterm
chmod 4555 /usr/lpp/X11/bin/msmitpasswd
chmod 4755 /usr/lpp/X11/Xamples/bin/xload
chmod 4550 /usr/lib/lpd/digest
chmod 4550 /usr/lib/lpd/rembak
chmod 2555 /usr/lib/lpd/pio/etc/piomkapqd
chmod 4550 /usr/lib/lpd/pio/etc/piomkpq
chmod 4555 /usr/lib/lpd/pio/etc/pioout
chmod 2555 /usr/lib/lpd/piobe
chmod 4555 /usr/lib/trcload
chmod 4755 /usr/lib/perf/libperfstat_updt_dictionary
chmod 4555 /usr/lib/mh/slocal
chmod 4550 /usr/lib/sa/sadc
chmod 4555 /usr/websm/bin/getCommand
chmod 4555 /usr/websm/bin/getShell
chmod 4555 /usr/websm/bin/discover_lvm
chmod 4755 /usr/websm/bin/wsmp
chmod 4555 /usr/websm/bin/wsmlssrc
chmod 4555 /usr/websm/bin/startrefresh
chmod 4550 /usr/sbin/allocp
chmod 4550 /usr/sbin/auditconv
chmod 4555 /usr/sbin/backbyinode
chmod 4550 /usr/sbin/cfgmgr
chmod 4550 /usr/sbin/chcod
chmod 4550 /usr/sbin/chcons
chmod 4550 /usr/sbin/chdev
chmod 4550 /usr/sbin/chpath
chmod 4550 /usr/sbin/devinstall
chmod 4550 /usr/sbin/diag_exec
chmod 4550 /usr/sbin/exec_shutdown
chmod 4555 /usr/sbin/format
chmod 4555 /usr/sbin/fuser
chmod 4550 /usr/sbin/getlvcb
chmod 4550 /usr/sbin/getlvname
chmod 4550 /usr/sbin/getvgname
chmod 4550 /usr/sbin/grpck
chmod 4550 /usr/sbin/ipl_varyon
chmod 2555 /usr/sbin/killall
chmod 4550 /usr/sbin/lchangelv
chmod 4550 /usr/sbin/lchangepv
chmod 4550 /usr/sbin/lchangevg
chmod 4550 /usr/sbin/lchlvcopy
chmod 4550 /usr/sbin/lcreatelv
chmod 4550 /usr/sbin/ldeletelv
chmod 4550 /usr/sbin/ldeletepv
chmod 4550 /usr/sbin/lextendlv
chmod 4550 /usr/sbin/lmigratepp
chmod 4550 /usr/sbin/lmigratelv
chmod 4555 /usr/sbin/lparsetres
chmod 4555 /usr/sbin/lquerylv
chmod 4555 /usr/sbin/lquerypv
chmod 4555 /usr/sbin/lqueryvg
chmod 4555 /usr/sbin/lqueryvgs
chmod 4550 /usr/sbin/lreducelv
chmod 4550 /usr/sbin/lresynclp
chmod 4550 /usr/sbin/lresynclv
chmod 4555 /usr/sbin/lsaudit
chmod 4555 /usr/sbin/lscfg
chmod 4555 /usr/sbin/lscons
chmod 2555 /usr/sbin/lsgroup
chmod 4555 /usr/sbin/lslv
chmod 4555 /usr/sbin/lspath
chmod 4555 /usr/sbin/lspv
chmod 6555 /usr/sbin/lsresource
chmod 4555 /usr/sbin/lsrset
chmod 4555 /usr/sbin/lsslot
chmod 4555 /usr/sbin/lsuser
chmod 4555 /usr/sbin/lsvg
chmod 4555 /usr/sbin/lsvgfs
chmod 4550 /usr/sbin/lvaryoffvg
chmod 4550 /usr/sbin/lvaryonvg
chmod 4550 /usr/sbin/lvgenmajor
chmod 4550 /usr/sbin/lvgenminor
chmod 4550 /usr/sbin/lvrelmajor
chmod 4550 /usr/sbin/lvrelminor
chmod 4550 /usr/sbin/mkdev
chmod 4550 /usr/sbin/mkpath
chmod 4550 /usr/sbin/mklvcopy
chmod 4555 /usr/sbin/mknod
chmod 4550 /usr/sbin/mkpasswd
chmod 4550 /usr/sbin/mkvg
chmod 4555 /usr/sbin/mount
chmod 4550 /usr/sbin/penable
chmod 4550 /usr/sbin/putlvcb
chmod 4550 /usr/sbin/putlvodm
chmod 6550 /usr/sbin/qdaemon
chmod 4550 /usr/sbin/reboot
chmod 4550 /usr/sbin/redefinevg
chmod 4555 /usr/sbin/restbyinode
chmod 4550 /usr/sbin/rmdev
chmod 4550 /usr/sbin/rmgroup
chmod 4550 /usr/sbin/rmpath
chmod 4550 /usr/sbin/rmrole
chmod 4550 /usr/sbin/rmuser
chmod 6550 /usr/sbin/srcd
chmod 6550 /usr/sbin/srcmstr
chmod 4550 /usr/sbin/swap
chmod 4550 /usr/sbin/swapon
chmod 4550 /usr/sbin/swapoff
chmod 4550 /usr/sbin/swcons
chmod 4550 /usr/sbin/switch.prt
chmod 4550 /usr/sbin/synclvodm
chmod 0555 /usr/sbin/umountall
chmod 4550 /usr/sbin/varyonvg
chmod 4550 /usr/sbin/watch
chmod 2550 /usr/sbin/chvirprt
chmod 2550 /usr/sbin/mkvirprt
chmod 2550 /usr/sbin/pac
chmod 2550 /usr/sbin/pioattred
chmod 0550 /usr/sbin/piofontin
chmod 2550 /usr/sbin/piopredef
chmod 2550 /usr/sbin/rmvirprt
chmod 4555 /usr/sbin/entstat.scent
chmod 4555 /usr/sbin/entstat.goent
chmod 4555 /usr/sbin/entstat
chmod 4555 /usr/sbin/entstat.ethchan
chmod 4555 /usr/sbin/portmir
chmod 4555 /usr/sbin/quota
chmod 4555 /usr/sbin/repquota
chmod 4554 /usr/sbin/perf/diag_tool/getschedparms
chmod 4554 /usr/sbin/perf/diag_tool/getvmparms
chmod 4555 /usr/sbin/arp
chmod 4555 /usr/sbin/nfsstat
chmod 4555 /usr/sbin/keyenvoy
chmod 4550 /usr/sbin/snappd
chmod 4554 /usr/sbin/inetd
chmod 4555 /usr/sbin/ndp
chmod 4555 /usr/sbin/netstat
chmod 4554 /usr/sbin/krlogind
chmod 4554 /usr/sbin/route
chmod 4554 /usr/sbin/krshd
chmod 4554 /usr/sbin/rwhod
chmod 6551 /usr/sbin/sendmail_nonssl
chmod 6551 /usr/sbin/sendmail_ssl
chmod 4555 /usr/sbin/sliplogin
chmod 4554 /usr/sbin/talkd
chmod 4555 /usr/sbin/mtrace
chmod 4555 /usr/sbin/rmsock
chmod 4554 /usr/sbin/named8
chmod 4554 /usr/sbin/named9
chmod 4555 /usr/sbin/timedc
chmod 4555 /usr/sbin/frcactrl
chmod 4555 /usr/sbin/lsmcode
chmod 4550 /usr/sbin/acct/accton
chmod 4550 /usr/sbin/diskusg
chmod 2555 /usr/bin/atq
chmod 4555 /usr/bin/capture
chmod 4555 /usr/bin/chcore
chmod 2555 /usr/bin/chfn
chmod 4550 /usr/bin/chgroup
chmod 2555 /usr/bin/chgrpmem
chmod 4550 /usr/bin/chrole
chmod 4550 /usr/bin/chsec
chmod 4550 /usr/bin/chuser
chmod 6555 /usr/bin/confsrc
chmod 2700 /usr/bin/cronadm
chmod 4555 /usr/bin/getconf
chmod 4555 /usr/bin/lscore
chmod 4550 /usr/bin/lssec
chmod 2555 /usr/bin/lssrc
chmod 4555 /usr/bin/mesg
chmod 4550 /usr/bin/mkgroup
chmod 6550 /usr/bin/mkque
chmod 6550 /usr/bin/mkquedev
chmod 4550 /usr/bin/mkrole
chmod 4550 /usr/bin/mkuser
chmod 4555 /usr/bin/pagdel
chmod 4555 /usr/bin/paginit
chmod 4555 /usr/bin/paglist
chmod 2555 /usr/bin/ps
chmod 4555 /usr/bin/pwdadm
chmod 4550 /usr/bin/pwdck
chmod 0550 /usr/bin/pwck
chmod 2550 /usr/bin/refresh
chmod 4555 /usr/bin/rm_mlcache_file
chmod 6550 /usr/bin/rmque
chmod 6550 /usr/bin/rmquedev
chmod 4555 /usr/bin/script
chmod 4555 /usr/bin/setgroups
chmod 4555 /usr/bin/shell
chmod 2555 /usr/bin/smitacl
chmod 2550 /usr/bin/startsrc
chmod 2550 /usr/bin/stopsrc
chmod 4550 /usr/bin/sysck
chmod 4550 /usr/bin/tcbck
chmod 4550 /usr/bin/usrck
chmod 2555 /usr/bin/w
chmod 4550 /usr/bin/sysck_r
chmod 2555 /usr/bin/splp
chmod 4555 /usr/bin/errpt
chmod 4550 /usr/bin/filemon
chmod 4550 /usr/bin/fileplace
chmod 4550 /usr/bin/fileplacej2
chmod 4550 /usr/bin/netpmon
chmod 4555 /usr/bin/chkey
chmod 4555 /usr/bin/yppasswd
chmod 4555 /usr/bin/rdist
chmod 4555 /usr/bin/ruptime
chmod 4555 /usr/bin/rwho
chmod 4555 /usr/bin/traceroute
chmod 4555 /usr/bin/iostat
chmod 2555 /usr/bin/timex
chmod 4555 /usr/bin/vmstat
chmod 6550 /usr/bin/acctctl
chmod 6550 /usr/bin/acctras
chmod 4555 /sbin/helpers/jfs2/backbyinode
chmod 4550 /sbin/helpers/jfs2/diskusg
chmod 4555 /sbin/helpers/jfs2/restbyinode
chmod 4555 /usr/sbin/tsm
chmod 4555 /opt/IBMinvscout/bin/invscoutClient_VPD_Survey
chmod 4555 /opt/IBMinvscout/bin/invscoutClient_PartitionID
chmod 4555 /usr/websm/bin/wsmlssrc
chmod 4555 /usr/websm/bin/startrefresh
chmod 4555 /usr/sbin/invscout
chmod 4755 /usr/websm/bin/wsmp
chmod 4550 /usr/sbin/invscoutd
		
Contents of "/etc/hosts.allow": Home

Sequence: 305  - Command: cat /etc/hosts.allow

ALL: LOCAL @some_netgroup
ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
telnetd: toto@foo.foobar.edu, [3ffe:302:100::]
sshd: 192.168.
telnetd: 192.168.
nrpe: 192.168.
pop3d: 192.168.
popa3d: 192.168.
impad: 192.168.
sendmail: 192.168.
swat: 192.168.
1234: 192.168.
xntpd: ALL
krshd: ALL
krlogind: ALL
		
Contents of "/etc/hosts.deny": Home

Sequence: 305  - Command: cat /etc/hosts.deny

ALL : ALL : severity auth.info
		
Contents of "/var/adm/cron/at.allow": Home
 

WARNING

"/var/adm/cron/at.allow" Not found or not readable

Contents of "/var/adm/cron/at.deny": Home

Sequence: 305  - Command: cat /var/adm/cron/at.deny

None
		
Contents of "/var/adm/cron/cron.allow": Home

Sequence: 305  - Command: cat /var/adm/cron/cron.allow

root
lpar2rrd
		
Contents of "/var/adm/cron/cron.deny": Home
 

WARNING

"/var/adm/cron/cron.deny" Not found or not readable

User cron jobs: Home

User: adm

Sequence: 306  - Command: cat /var/spool/cron/crontabs/*

None
		

User: esaadmin

Sequence: 306  - Command: cat /var/spool/cron/crontabs/*

    Day of  Day of  Month   
Mins  Hours  Month   Week   No.  Command 
/usr/esa/sbin/esa_awareness 

User: lpar2rrd

Sequence: 306  - Command: cat /var/spool/cron/crontabs/*

None
		

User: root

Sequence: 306  - Command: cat /var/spool/cron/crontabs/*

    Day of  Day of  Month   
Mins  Hours  Month   Week   No.  Command 
11  /usr/bin/errclear-d S,O 30  
12  /usr/bin/errclear-d H 90  
0,5,10,15,20,25,30,35,40,45,50,55  /usr/sbin/dumpctrl-k >/dev/null 2>/dev/null  
15  /usr/lib/ras/dumpcheck>/dev/null 2>&1  
/etc/security/aixpert/bin/cronaudit 
/opt/csm/bin/cfmupdatenode-a 1>/dev/null 2>/dev/null  
/opt/csm/csmbin/cleanup.logs.csp1>>/var/log/csm/csperror.log 2>>/var/log/c 
/home/root/scripts/run_nmon 
55  23  /var/perf/pm/bin/pmcfg>/dev/null 2>&1 #Enable PM Data Collection  

User: sys

Sequence: 306  - Command: cat /var/spool/cron/crontabs/*

None
		
Jobs scheduled with at: Home

Sequence: 307  - Command: at -l

None
		
Current user hard limits: Home
 

INFO

Hard limits cannot be exceeded for this user. To change them you must edit "/etc/security/limits" and logout/in. "stack_hard" and "rss_hard" should not be unlimited for normal users as they can exhaust the systems resources.

Sequence: 1307  - Command: ulimit -Ha

Setting  Limit 
time(seconds)   unlimited 
file(blocks)   unlimited 
data(kbytes)   unlimited 
stack(kbytes)   4194304 
memory(kbytes)   unlimited 
coredump(blocks)   unlimited 
nofiles(descriptors)   unlimited 
threads(per process)   unlimited 
processes(per user)   unlimited 
List sensitive group membership: Home

Sequence: 1310  - Command: lsgroup $G

Parameter  Value 
adm:   
id 
admin  true 
users  bin,adm,uptime 
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   
audit:   
id  10 
admin  true 
users  root 
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   
bin:   
id 
admin  true 
users  root,bin,uptime 
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   
cron:   
id 
admin  true 
users  root 
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   
invscout:   
id  12 
admin  true 
users  invscout 
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   
mail:   
id 
admin  true 
users   
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   
printq:   
id 
admin  true 
users  lp 
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   
lp:   
id  11 
admin  true 
users  root,lp 
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   
pconsole:   
id  14 
admin  true 
users  pconsole 
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   
perf:   
id  20 
admin  false 
users   
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   
security:   
id 
admin  true 
users  root 
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   
shutdown:   
id  21 
admin  true 
users   
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   
snapp:   
id  13 
admin  true 
users  snapp 
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   
sshd:   
id  15 
admin  true 
users  sshd 
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   
sys:   
id 
admin  true 
users  root,bin,sys 
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   
system:   
id 
admin  true 
users  root,sshd,esaadmin,ga0112,co1217,pconsole,nagios,postgres 
registry  files 
efs_initialks_mode  admin 
efs_keystore_algo  RSA_1024 
efs_keystore_access  file 
   

Licenced to: BlueFinch BV - sales@bluefinch.nl

Return to homepage