| Issue Number | 3488 |
|---|---|
| Summary | System Security for CIPSFTP |
| Created | 2012-03-15 16:40:16 |
| Issue Type | Bug |
| Submitted By | Englisch, Volker (NIH/NCI) [C] |
| Assigned To | Englisch, Volker (NIH/NCI) [C] |
| Status | Closed |
| Resolved | 2012-03-30 13:01:32 |
| Resolution | Fixed |
| Path | /home/bkline/backups/jira/ocecdr/issue.107816 |
BZISSUE::5183
BZDATETIME::2012-03-15 16:40:16
BZCREATOR::Volker Englisch
BZASSIGNEE::Volker Englisch
BZQACONTACT::Carbie Mendoza
CBIIT reported that several of the user accounts on CIPSFTP have weak passwords. We will need to go through the 305 user accounts on the server, identify the inactive accounts and ensure the active accounts are using strong passwords.
BZDATETIME::2012-03-16 11:56:15
BZCOMMENTOR::Volker Englisch
BZCOMMENT::1
Alan brought up a good point:
Do we know if we are talking about all accounts on
CIPSFTP or are we only talking about shell accounts?
We have 350 account on CIPSFTP. 298 of those are FTP accounts and 52 are
shell accounts. Of those shell accounts only 18 have logged on to the
system (this includes system accounts) meaning that most of the shell
accounts are legacy accounts transferred from the older system and I
would argue that those legacy accounts can be disabled.
Below are all the shell accounts that have been "recently" used.
Login: root Name: root
Last login Mon Dec 19 11:47 (EST) on tty1
Login: tempuser Name: Temporary FTP
Last login Wed Dec 14 17:02 (EST) on pts/0 from 156.40.134.164
Login: sysbackup Name:
Last login Wed Oct 13 14:28 2004 (EDT) on pts/1 from 10.10.10.10
Login: asco Name: Test Vendor
Last login Thu Dec 15 09:36 2005 (EST) on pts/0 from 10.10.10.10
Login: operator Name: Operator Account
Last login Mon Jan 9 17:49 (EST) on pts/1 from 156.40.134.46
Login: firstov Name: firstov
Last login Wed Apr 15 22:23 2009 (EDT) on pts/0 from 10.10.10.10
Login: venglisc Name: Volker Englisch
On since Thu Mar 15 15:10 (EDT) on pts/0 from 156.40.128.229
Login: piyer Name: Perry Iyer
Last login Mon Oct 24 14:56 2005 (EDT) on pts/0 from 172.16.30.230
Login: ramanat Name: Ramanathan Palaniappan
Last login Tue Apr 6 12:32 2010 (EDT) on pts/0 from 156.40.132.185
Login: bkline Name: Bob Kline
Last login Thu Jun 9 18:52 2011 (EDT) on pts/1
Login: ameyer Name: Alan M
Last login Mon Nov 8 16:46 2010 (EST) on pts/1 from 156.40.129.158
Login: rehmertj Name:
Last login Fri Jul 2 10:38 2010 (EDT) on pts/0 from 156.40.129.10
Login: tommy Name:
Last login Fri May 4 10:22 2007 (EDT) on pts/3 from 10.10.10.10
Login: cmendoza Name:
Last login Thu Mar 15 15:56 (EDT) on pts/1 from 156.40.133.71
Login: mvaldez Name: Mauricio Valdez
Last login Wed Dec 14 17:18 (EST) on pts/0 from 156.40.134.164
Login: tchaboj Name: Justin Tchabo
Last login Fri Aug 20 11:07 2010 (EDT) on pts/0 from 10.10.20.105
Login: scuser Name:
Last login Tue Jun 28 14:13 2011 (EDT) on pts/3 from 156.40.130.68
Login: cbiit Name:
Last login Tue Feb 14 14:41 (EST) on pts/0 from 156.40.133.71
BZDATETIME::2012-03-16 12:10:56
BZCOMMENTOR::Volker Englisch
BZCOMMENT::2
Email from Mauricio:
---Original Message
From: Valdez, Mauricio (NIH/NCI) [C]
Sent: Friday, March 16, 2012 12:06 PM
To: bugzilla-daemon@verdi.nci.nih.gov
Cc: Englisch, Volker (NIH/NCI) [C]; Mendoza, Carbelito (NIH/NCI) [C];
vrmeyer@comcast.net; Kline, Robert (NCI)
Subject: RE: [OCECDR-3488] System Security for CIPSFTP
I have not used this system before so I am not sure if replying to this email will communicate this to the entire team.
I agree with Volker that all legacy accounts that have not logged in lately or are not being used should be disabled and that we should focus on the remaining accounts. This will facilitate the task and ensure that we meet the 04/10/2012 deadline. Additionally, can the CDR team modify the password complexity requirements for that system to adhere to NIH standards?
Mauricio Valdez
NCI OCE - Communications Technology Branch
Contractor: Sapient Government Services
Phone: 915-667-9677
BZDATETIME::2012-03-16 12:34:42
BZCOMMENTOR::Volker Englisch
BZCOMMENT::3
(In reply to comment #2)
> Additionally, can the CDR team modify the password complexity
> requirements for that system to adhere to NIH standards?
Does that include the 90 day expiration requirement?
Does that apply for "person" accounts only (excluding accounts used for
system access like the operator account)?
Does this apply for all accounts or shell accounts only?
BZDATETIME::2012-03-16 12:39:05
BZCOMMENTOR::Volker Englisch
BZCOMMENT::4
There are some accounts that have shell access but their home directory has been set to the FTP tree. I am guessing the shell access is incorrect and can be disabled. I did not create these accounts so I don't know if they do need the shell access.
Does anybody know what these are?
netscreen - Netscreen Upload
dcp_user - DCP
rhcusacn - Translational Research Informatics
BZDATETIME::2012-03-16 12:40:30
BZCOMMENTOR::Bob Kline
BZCOMMENT::5
(In reply to comment #4)
> Does anybody know what these are?
> netscreen - Netscreen Upload
> dcp_user - DCP
> rhcusacn - Translational Research Informatics
I don't.
BZDATETIME::2012-03-20 17:48:15
BZCOMMENTOR::Volker Englisch
BZCOMMENT::6
(In reply to comment #3)
> Does this apply for all accounts or shell accounts only?
Carbie or Mauricio:
Were you able to check if the problems reported are for shell accounts
only or for FTP accounts as well?
BZDATETIME::2012-03-21 11:16:28
BZCOMMENTOR::Volker Englisch
BZCOMMENT::7
These are the password Rules according to the 'I forgot My Password' page:
Your new password must be different from 24 previous
passwords.
Your new password must be between 8 and 128 characters long.
Your new password must include characters from at least three of
the following categories:
Uppercase Letters (A-Z)
Lowercase Letters (a-z)
Numerals (0-9)
Special Characters ( ` ~ ! @ # $ % ^ & * - + _ = | \ { } [ ] (): ; "
'
< > , . ? / )
IT Administrators Please Note: Secondary accounts are required to
have
a 15 character password or passphrase.
NCI Users Please Note: You must include one of each of the
four
categories and spaces are NOT allowed.
By the way, aren't local user account passwords limited to 8
characters in Linux?
Strike that. I just changed a password to contain 8 lower case letters
and added the special characters after the 8th character. I was only
able to log on by entering all of the 11 characters I had set.
BZDATETIME::2012-03-21 12:45:35
BZCOMMENTOR::Volker Englisch
BZCOMMENT::8
I have changed the passwords for the operator account and root to follow the NIH requirements but I have not made changes to the system to enforce these requirements. In particular I am not setting up password expiration because I don't want to have to change our publishing programs every 90 days unless I'm told this must be done.
Carbie, Mauricio, Alan, and Bob, could you please confirm that your passwords on CIPSFTP follow the NIH rules (or change the password if it doesn't)?
I will contact Kim Eckley regarding her account which leaves us with
two accounts that need to be addressed:
cbiit
scuser
I did not create these accounts and I don't know what they are used for
or who is using them. Carbie, could you please investigate or should I
just disable the accounts?
All other shell accounts are system accounts:
bin
daemon
ftp
games
lp
man
news
nobody
uucp
BZDATETIME::2012-03-21 13:04:13
BZCOMMENTOR::Volker Englisch
BZCOMMENT::9
(In reply to comment #1)
> Alan brought up a good point:
> Do we know if we are talking about all accounts on
CIPSFTP or are we only
> talking about shell accounts?
----------------------------------------------------------------------
From: Mendoza, Carbelito (NIH/NCI) [C]
Sent: Wednesday, March 21, 2012 10:19 AM
To: Englisch, Volker (NIH/NCI) [C]
Cc: Valdez, Mauricio (NIH/NCI) [C]
Subject: FW: Ticket 0001395968
Volker,
Per Jesse's response below, it looks like it's just the shell accounts.
Thanks,
Carbie Mendoza
BZDATETIME::2012-03-21 13:39:58
BZCOMMENTOR::Bob Kline
BZCOMMENT::10
(In reply to comment #8)
> could you please confirm that your passwords on CIPSFTP follow
the
> NIH rules ...
Mine does.
BZDATETIME::2012-03-22 14:01:57
BZCOMMENTOR::Volker Englisch
BZCOMMENT::11
Attached is the list of user accounts on CIPSFTP as of today.
There are 8 active shell accounts. For 7 of them the password follows the NIH rules. I do not know anything about the account 'scuser'.
All other shell accounts have been disabled and for all FTP accounts I ensured that they are not allowed to log on through a shell.
I think I am done.
Carbie, you may want to request a rescan once we've identified what to
do with the scuser account.
Attachment CIPSFTP_Accounts.xls has been added with description: CIPSFTP User Accounts
BZDATETIME::2012-03-26 10:36:43
BZCOMMENTOR::Volker Englisch
BZCOMMENT::12
User account rhcusacn had been disabled but is an active user.
Attachment CIPSFTP_Accounts.xls has been added with description: CIPSFTP User Accounts
BZDATETIME::2012-03-30 12:52:44
BZCOMMENTOR::Volker Englisch
BZCOMMENT::13
Carbie, please let me know if there is anything else you need me to do or when this has been resolved so that I can close the issue.
BZDATETIME::2012-03-30 13:01:32
BZCOMMENTOR::Volker Englisch
BZCOMMENT::14
Thanks, Carbie!
Closing issue.
---Original Message
From: Mendoza, Carbelito (NIH/NCI) [C]
Sent: Friday, March 30, 2012 12:54 PM
To: Englisch, Volker (NIH/NCI) [C]
Subject: FW: [OCECDR-3488] System Security for CIPSFTP
Please close the ticket, cbiit said that is it good to go.
Thanks,
Carbie Mendoza
| File Name | Posted | User |
|---|---|---|
| CIPSFTP_Accounts.xls | 2012-03-26 10:36:43 | Englisch, Volker (NIH/NCI) [C] |
| CIPSFTP_Accounts.xls | 2012-03-22 14:01:57 | Englisch, Volker (NIH/NCI) [C] |
Elapsed: 0:00:00.000515