Empty groups in AIX

[oqurum]

As part of the install of AIX the system creates the following groups which have no user accounts setup

mail, ecs, printq, perf, shutdown, kmem & nogroup

what would be the implications of removing these groups ?

Also our auditors (a hex upon them) are suggesting we should remove the sendmail function from our AIX platforms as the represent a security vulnerability

Has anyone any comments on this - and the best method to remove sendmail










I'M NOT WAVING I'M DROWNING

 

[Chapter11]

Those groups belong with the operating system in much the same way that "bin", "daemon", "sys", and so on are users that are technically unused in the user sense, but need to be there.

As far as removing sendmail, it's probably possible, but I would not say it's a good idea. You can turn it off to prevent it from accepting connections from external machines, but you need it for other OS-related stuff to deliver mail (results of at and cron, for example).

 

[oqurum]

How would you you deny external access to the sendmail process

 

[Chapter11]

Don't leave the sendmail daemon running (and thus listening on port 25).

Mail within the server should work just fine without sendmail running as a daemon listening to the network. You *might* need to cron a job to flush the queue periodically, but I doubt it.