Limit users with UID 0 accounts to root only

The ONLY superuser account on a machine should be root. Checking for the UID option in the /etc/passwd file. Somtimes when a hacker will attack a system they will try to leave a way for them to get back in at a later time. The easiest way is to leave a root account open for them to use from their system. The command: $grep :0: /etc/passwd will list everyone who has root access. The only user that should show up here is the root user.

Also, for mission critical systems, do not allow direct root logons except at the console. Only terminals marked as secure in the file /etc/ttytab file will allow any user with UID = 0 to logon directly. If you want you can also mark a terminal as being unsecure, this will force users to log on as their normal user and then su to root.

Setting account expiration parameters

All active accounts should have an account expiration set on them. Because sys admins are not in the HR dept, when people leave the sys admin is not always told about employee turnover. Using account expirations is a simple way to help prevent any loose accounts from staying out there.

Also it is a good idea to force users to change their passwords on an account on a regular basis. How regular depends on how important the system they are working on, if a user is only on a read-only that is kept in a secure-area they should almost never have to change their password where as a sys admin who has to move from one machine to another machine should be changing their password often.

Finally, idle accounts should be expired. The less mess hanging around means fewer opportunities for someone to use to hack into your system.

You can set account expiration parameters either through the GUI or you can run a script to set the parameters. I will try & have a script set up to check this later this week.