search cancel

The purpose of "sisips" user

book

Article ID: 151830

calendar_today

Updated On:

Products

Embedded Security Critical System Protection Critical System Protection Data Center Security Server Advanced Endpoint Protection

Issue/Introduction

Details of the sisips account used in Symantec Data Center Security Agent (DCSSA) such as:

What is the password of sisips user?

Can you login to the system from outside using 'sisips' user?

Resolution

Purpose:

The sisips account is created during the installation progress. The user for all unix DCS agents is a restricted account and without password pre-set. This will prohibit login to the system by sisips user.

By checking the /etc/shadow, the char "!!" stayed at the column of the encrypted password, this means the login is disabled by default.

The purpose of sisips account is to run some agent management and config tools. The privileges of the account is constrained, the administrator must su to sisips from super user such as root.

sisips user cannot start/stop IDS/IPS services.

Setting a password for this account is not recommended. The user is created ONLY for SCSP agent management and running some particular tasks related with the config or management, the login attempt from outside by sisips will be prohibited by default. To summarize:

  1. The sisips user does not have a password, and the account is locked by default. Because of this it cannot be used to log into the box.
  2. You can only -su to the sisips user once you are already logged in as root.
  3. The sisips user is used by sisipsdaemon and sisipsutildaemon (agent utilities) so that they can run under a non-root user. This makes sisips the best option for maintaining agent security while also allowing the current user work on the computer and to communicate over the network ( i.e. with the DCSSA server ).
  4. Also the Agent will run a script if password aging is enabled on a system to stop sisips from getting a password change popup. 

The following are examples relating to this:

Looking at a sample Gather Agent Information,  following is found in the agent_intsall.log

11/10/20 08:54:54: checkPasswordAging: user 'sisips'...

11/10/20 08:54:54: checkPasswordAging: Running /opt/Symantec/sdcssagent/IPS/sisipspasswdage.sh

 

If Password aging is enabled on a unix host, once the password expires,

even though the sisips user account is disabled (no login), it prompts you

to change/set the password.  This can keep the IPS agent from starting up

and will appear OFFLINE.

 

User `sisips` password expires (Jan 11, 2021)**

  (**which is either in weeks or exact date/timestamp depending on OS).

 

Disable password aging for user (sisips)......SUCCESS

 

What this means is that, if the machine has password aging enabled, the sisipspasswdage.sh will need to be run again before the password expires else the scripts that need to su to sisips will not work.