Security and User Account Administration. |
Digital Unix provides an optional enhanced security mode that can be used ot bring the system into complience with C2 security guidelines. This provides features such as password shadow files and account and password aging.
CDE provides the capability to automatically lock a server or workstation screen after a defined period of time. This should be implemented on all systems. To modify the settings, go to the CDE configuration menu icon. Select the "Display" icon, and there is a setting on the bottom of the dialog box that allows you to set a lock interval.
If a system does not have enhanced security turned on, users can be added simply by editing the /etc/passwd file and manually creating their home dir, etc. An easier method is to use the "adduser" command. This can be used to automatically create home dirs and copy skeleton files into their home dir. The "usermod" and "groupmod" commands can also be used to modify accounts programatically. There is also a graphical administration utility called "dxaccounts". This program can be used to add, delete, and modify accounts.
If enhanced security is in place, it is best to use the administration
programs to add users rather than to add users by modifying the files by
hand. These programs will automatically modify the various auxilary files
used by enhanced security. When enhanced security is in use, you can also
use the "XIsso" program to add / delete / modify accounts.
When enhanced security is in place, accounts can be locked by an
administrator, or can be automatically locked after X number of invalid
signon attempts. If an account is locked, any attempts to log into the
account or "su" to it, will generate a response saying that the
account is disabled. To unlock an account, you can use either the XIsso
gui, or the dxaccounts gui. I have had better luck using the XIsso gui to
unlock accounts.