29.3 The etcdefaultsecurity Configuration File

     

29.3 The /etc/default/security Configuration File

We have mentioned this file in connection with HP-UX Trusted Systems. We used it to configure a Password History Database ( PASSWORD_HISTORY_DEPTH parameter). We need to configure HP-UX Trusted Systems in order to use this feature. There are significantly more features available in the /etc/default/security file that do not need Trusted Systems to be configured. Here is a breakdown of the current capabilities:

  1. Allows a user to log in when his home directory is missing.

  2. Provides minimum length of a user password in a Trusted and non-Trusted System.

  3. Affords the ability to disable/enable all non-root logins.

  4. Sets the number of logins allowed per user ID.

  5. Determines the password history depth (need to configure HP-UX Trusted Systems).

  6. Controls which users are allowed to use the su command to change their effective UID to root based on their group membership.

  7. Defines default PATH environment variable when using the su command.

  8. Provides minimum requirements for password structure (needs patch PHCO_24839 or later).

Some of these requirements are simple to understand and, hence, take little explaining. We go through each of them to ensure that we understand their default values.

29.3.1 Allows a user to log in when his home directory is missing

On HP-UX, it has always been the case that if a user's home directory doesn't exist when he logs in, the user is taken to the root (/) directory. This is contrary to many flavors of UNIX that will disallow login access if the user's home directory is missing. The parameter to control this behavior is ABORT_LOGIN_ON_MISSING_HOMEDIR .

This parameter controls login behavior if a user's home directory does not exist. This is applicable only for non-root users.

ABORT_LOGIN_ON_MISSING_HOMEDIR=0: Log in with "/" as the home directory if the user's home directory does not exist.

ABORT_LOGIN_ON_MISSING_HOMEDIR=1: Exit the login session if the user's home directory does not exist.

Default value : ABORT_LOGIN_ON_MISSING_HOMEDIR=0 .

29.3.2 Provides minimum length of a user password in a Trusted and non-Trusted System

By default, on HP-UX non-root users have restrictions on the structure of their password, even in a non-trusted environment ”six characters with at least two alpha characters and at least one non-alpha character. This parameter controls only the length of the password. We will see later how to control the content of the password.

The MIN_PASSWORD_LENGTH parameter controls the minimum length of new passwords. It is not applicable to the root user on a non-trusted system.

MIN_PASSWORD_LENGTH=N New passwords must contain at least N characters. For non-trusted systems N can be any value from 6 to 8. For trusted systems N can be any value from 6 to 80.

Default value : MIN_PASSWORD_LENGTH=6 .

29.3.3 The ability to disable/enable all non-root logins

There may be times when we want to disable all non-root logins without shutting the system down to single-user mode. In the past, this was difficult on HP-UX; you could temporarily put a default password file in place, meaning that no one could log in because his or her password entry was now missing. This was a clumsy solution. Other versions of UNIX had a simpler solution such as creating a file called /etc/ nologin . Now we can control this behavior via the NOLOGIN configuration parameter.

This parameter controls whether non-root login can be disabled by the /etc/nologin file.

NOLOGIN=0 : Ignore the /etc/nologin file and do not exit if the /etc/nologin file exists.

NOLOGIN=1 : Display the contents of the /etc/nologin file and exit if the / etc/nologin file exists.

Default value : NOLOGIN=0 .

29.3.4 Sets the number of logins allowed per user ID

Sharing user accounts is never a good idea; you can never really tell who deleted a file or made some other mistake while logged in. Even with auditing enabled, you can find out which user ID made the mistake but not the face behind the user ID. One way to combat this is to allow only one login session per user ID.

This parameter controls the number of logins allowed per user. This is applicable only for non-root users.

NUMBER_OF_LOGINS_ALLOWED=0 : Any number of logins is allowed per user.

NUMBER_OF_LOGINS_ALLOWED=N : N number of logins are allowed per user.

Default value : NUMBER_OF_LOGINS_ALLOWED=0 .

29.3.5 Determines the password history depth (need to configure Trusted Systems)

When we implement password aging, we are trying to ensure that passwords are changed on a regular basis, in case an unauthorized user guesses or gains access to a user password. Allowing users to flip between two passwords lessens the quality of such a strategy. By default, on HP-UX that is exactly what a user could do.

The PASSWORD_HISTORY_DEPTH parameter controls the password history depth. A new password is checked against a number of most recently used passwords stored in password history for a particular user. A user is not allowed to reuse a previously used password.

PASSWORD_HISTORY_DEPTH=N : A new password is checked against only the N most recently used passwords for a particular user.

A configuration of PASSWORD_HISTORY_DEPTH=2 prevents users from alternating between two passwords. The maximum password history depth supported is 10, and the minimum password history depth supported is 1. A depth configuration of more than 10 will be treated as 10, and a depth configuration of less than 1 will be treated as 1.

The password history depth is configured on a system basis and is supported in Trusted Systems for users in a files repository only. This feature does not support the users in NIS or NIS+ repositories. Once the feature is enabled, all the users on the system are subject to the same check. If this parameter is not configured, the password history check feature is automatically disabled. When the feature is disabled, the password history check depth is set to 1.

A password change is subject to all the other rules for a new password, including a check with the current password.

Default value : PASSWORD_HISTORY_DEPTH=1 .

29.3.6 Controls which users are allowed to use the su command to change their effective UID to root based on their group membership

We may want to restrict the ability for a user to successfully use the su command to change their effective UID to root based on their group membership. We could set up a special group in /etc/group and add the appropriate users to it. In this way, only those users would be allowed to successfully use the su command to change their effective UID to root .

This parameter defines the root group name for the su command.

SU_ROOT_GROUP= group_name : The root group name is set to the specified symbolic group name. The su command enforces the restriction that a non-superuser must be a member of the specified root group in order to be allowed to successfully use the su command to change their effective UID to root . This does not alter password checking.

Default value : If this parameter is not defined or if it is commented out, there is no default value. In this case, a non-superuser is allowed to use the su command to change their effective UID to root without being bound by root group restrictions.

29.3.7 Defines default PATH environment variable when using the su command

This parameter defines a new default PATH environment value to be set when su is executed.

SU_DEFAULT_PATH= new_PATH : The PATH environment variable is set to new_PATH when the su command is invoked. Other environment values are not changed. The PATH value is not validated . This is applicable only when the "-" option is not used along with su command.

Default value : PATH is not changed.

29.3.8 Provides minimum requirements for password structure (needs patch PHCO_24839 or later)

Many flavors of UNIX allow an administrator to require a certain format for a user password, i.e., a certain number of uppercase/lowercase letters , numbers , and non-alpha characters. Until the release of this patch, this has been unavailable as a standard feature on HP-UX. At the time of this writing, the patch number is PHCO_27037. If you use the ITRC to download the patch, you can download the most recent version and all associated dependencies. Something to be aware of is that the patch currently does not update the manual page for the security configuration file ( man security ), so to work out the new features, you need to read the README file from the patch itself:

 root@hpeos004[]  swlist -a readme PHCO_27037  more  (SR:8606202873 CR:JAGad72047)         A site's security policies sometimes require new passwords         to contain specific numbers or types of characters, such as         at least two digits and at least one special character.         Resolution:         In addition to the standard password requirements,         optional entries in the file /etc/default/security specify         the minimum number of required characters of each type         (upper case characters, lower case characters, digits         and special characters) in a new password.         PASSWORD_MIN_UPPER_CASE_CHARS=N         PASSWORD_MIN_LOWER_CASE_CHARS=N         PASSWORD_MIN_DIGIT_CHARS=N         PASSWORD_MIN_SPECIAL_CHARS=N         The default value for N is 0. These parameters have         effect only when a password is changed. On untrusted         systems, these parameters do not apply to the root user.         The file /etc/default/security should be owned by root and         have 0644 permissions. As an example, to require passwords at least 8 characters         long, composed of at least 5 upper case characters, 2         lower case characters and a digit, include the following         lines in /etc/default/security, as specified above:         PASSWORD_MIN_UPPER_CASE_CHARS=5         PASSWORD_MIN_LOWER_CASE_CHARS=2         PASSWORD_MIN_DIGIT_CHARS=1 

I won't attempt to further this description because I think it is wholly appropriate in itself, but I will show you an example:

 root@hpeos004[]  cat /etc/default/security  PASSWORD_HISTORY_DEPTH=3 PASSWORD_PASSWORD_LENGTH=11 PASSWORD_MIN_UPPER_CASE_CHARS=5 PASSWORD_MIN_LOWER_CASE_CHARS=3 PASSWORD_MIN_DIGIT_CHARS=2 PASSWORD_MIN_SPECIAL_CHARS=1 root@hpeos004[] root@hpeos004[]  passwd fred  Changing password for fred Last successful password change for fred: Sat Oct  4 17:13:19 2003 Last unsuccessful password change for fred: NEVER Do you want (choose one letter only):         pronounceable passwords generated for you (g)         a string of characters generated (c) ?         a string of letters generated (l) ?         to pick your passwords (p) ? Enter choice here:  p  New password: The password entered is not valid. Valid passwords must contain at least:           5 upper case character(s),           3 lower case charcter(s),           2 digit(s), and           1 special character(s). New password: 

Although this example is on a Trusted System, the same rules apply to non-root users on a non-Trusted System.



HP-UX CSE(c) Official Study Guide and Desk Reference
HP-UX CSE(c) Official Study Guide and Desk Reference
ISBN: N/A
EAN: N/A
Year: 2006
Pages: 434

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net