On 5/13/13 7:15:45PM, Patrick Kennedy wrote:
The manual says:
If you are installing ClamAV for the first time, you have to add a new user
and group to
your system:
# groupadd clamav
# useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
Consult a system manual if your OS has not groupadd and useradd utilities.
Don’t
forget to lock access to the account!
###
However, I don't know exactly what I should do to lock access to the
account. For Debian or Ubuntu, what would this entail? Thanks for the
pointer...should perhaps add an example of this in the manual to make it
more clear.
~Patrick
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
The Linux authentication system checks the shadow file for the presence
of a "!" character as the first character in the password field (see man
shadow). If it exists the account is considered locked. Anyone who
attempts to "su" to that account will get a warning the account is not
available. Even root. The encrypted password remains if it was there,
but it is unusable. As locks are sometimes temporary there is also a
means to unlock the account without recreating the password.
There are several ways to apply the lock. Check the man page for passwd
and usermod. Examples:
Lock Frank's account:
passwd -l frank
or
usermod -L frank
You can also use vipw -s /etc/shadow and manually add the "!" character.
Not recommended as bad things can happen. You will probably also receive
a warning that you are working on a read-only file.
Depending on your version of Linux you may also see that passwd -l will
put two "!" characters in the password field whereas usermod -L will
place only one. Still works. You need only one to lock the account.
Another similar process allows you to expire an account. This is not the
same as locking the password. See man chage for details. Yet another
control is pam. Your authentication layer can be set to automatically
lock an account after a certain number of failed logins, and also
available is automatic password aging that requires users to change
passwords after a period of time. See more on line regarding pam and
pam_tally/pam_tally2. Password length and complexity are also controlled
here.
Despite what you may see, hear, or read about Unix account management,
vi, vim, pico, nano, etc., are not account management tools and should
not be used to make changes to the passwd, shadow, and group files. You
can see if your coworkers have been doing so with the pwck and grpck
tools. On systems that are well monitored for security breach clues this
can set off alarms.
Probably more than you needed to know but not as much as you will need
to know if you expect to do this for a living.
dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
