| Proactive protection is all about making a system more resistant to security failures. A great number of the items which are used to proactively protect a system are applicable to all hosts in all environments. To help simplify and standardize how these processes are implemented, scripts have been developed by both administrators and security companies. Some of these projects have made their way to becoming products. /etc/default/security A centralized location ( /etc/default/security ) for default security parameters has been created in HP-UX 11i. Currently, the login, password and switch- user processes utilize this information. Each line in the file is treated either as a comment or as configuration information for a given system command or feature. If any parameter is not defined or is commented out in this file, the default behavior detailed below will apply. This file must be world-readable and root-writable. Parameter definitions, valid values, and defaults are defined as follows : -
ABORT_LOGIN_ON_MISSING_HOMEDIR ” This parameter controls login behavior if a non-root user's home directory does not exist. If the parameter is set to one, the login session will exit if the user's home directory does not exist. If it is set to zero, the user will be allowed to log in and his home directory will be set to the root directory (/). The default value is zero. -
MIN_PASSWORD_LENGTH ” This parameter controls the minimum length of new passwords. For nontrusted systems, it can be any value from 6 to 8. It is not applicable to the root user on an untrusted system. For trusted systems, it can be any value from 6 to 80. The default value is 6. -
NOLOGIN ” This parameter controls whether non-root login can be disabled by the /etc/nologin file. If the value is 1, the contents of the file /etc/nologin will be displayed and the root user will not be allowed access. If the value is 0, the presence of the file is ignored. The default value is 0. -
NUMBER_OF_LOGINS_ALLOWED ” This parameter controls the number of logins allowed per user. This is applicable only for non-root users. A value of zero allows unlimited logins. The default value is 0. -
PASSWORD_HISTORY_DEPTH ” This parameter controls the password history depth. A new password is checked only against the number of most recently used passwords stored in password history for a particular user. A user is not allowed to reuse a previously used password. The password history depth configuration is on a system basis and is supported in a trusted system. This feature does not support the users in NIS or NISPLUS repositories. Once the feature is enabled, all the users on the system are subject to the same check. If this parameter is not configured, the password history check feature is automatically disabled. When the feature is disabled, the password history check depth is set to 1. A password change is subject to all of the other rules for a new password, including a check with the current password. The default value is 1. -
SU_ROOT_GROUP ” This parameter defines the root group name for the su command. The root group name is set to the specified symbolic group name. The su command enforces the restriction that a non-superuser must be a member of the specified root group in order to be allowed to switch-user to root. This does not alter password checking. If this parameter is not defined or if it is commented out, there is no default value. In this case, a non-superuser is allowed to switch-user to root without being bound by root group restrictions. -
SU_DEFAULT_PATH ” This parameter defines a new default PATH environment value to be set when one uses the su command. The PATH environment variable is set to the new PATH when the su command is invoked. Other environment values are not changed. The path value is not validated . This is applicable only when the "-" option is not used along with the su command. By default, the path is not changed. Bastille Bastille is a security tool which improves the security of a UNIX system by applying settings to "harden" the operating system. It utilizes a wide variety of reputable sources on UNIX security to define the appropriate settings for configuring daemons, setting operating system parameters, and more. It attempts to provide the most secure, yet usable system possible programmatically. It is available for HP-UX and a variety of Linux systems. Bastille must be run by the root user when the machine is quiet. Bastille uses a "hands on" approach for building a more secure system by allowing the system administrator to make decisions about the security settings for his system. The interactive use of the tool is designed to educate the administrator about security issues involved in each task with online help. Each step is optional and contains a description of the security issues involved. It allows inexperienced system administrators to make appropriate security decisions and trade-offs. From the command-line, Bastille can be run in three different modes: -
bastille “x starts Bastille in the interactive mode, starting the GUI and walking the user through a series of questions. Bastille must be run in this mode on the first execution to create a configuration profile. -
bastille “b runs Bastille in the background, applying a predefined configuration profile from the file /etc/opt/sec_mgmt/bastille/config to the machine. This can be used to reapply a configuration on a system or to apply a configuration onto multiple machines with the same operating system. -
bastille “u resets the system to the state it was in before Bastille was run on the system. Any time a change is made to an operating system or patches are installed, the security lockdown procedure should be performed.  |
