Solaris valid user accounts

System auditors sometimes ask for a list of accounts that can access a Solaris system. The following procedure will identify these accounts.

1. Disregard non-login accounts in /etc/shadow. These accounts have an encrypted password of NP or *LK*. Starting with Solaris 9, *LK* accounts cannot execute jobs via cron while NP accounts can.

2. Disregard any commented lines in /etc/shadow.

3. grep for the remaining logins in /etc/passwd, disregarding logins with an invalid login shell such as /dev/null,  /bin/false, or /bin/true.

Example command:
# awk -F: '$2 !~ /^NP$|^\*LK\*/ && $1 !~ /^#/ { print $1 }' /etc/shadow | xargs -i grep {} /etc/passwd | awk -F: '$NF !~ /\/bin\/false|\/bin\/true|\/dev\/null/'


More information:
http://www.securitydocs.com/library/2636

Back to brandonhutchinson.com.
Last modified: 2007/02/15