topic Re: Password auditing in Operating System - HP-UX

Password auditing

Gary Hines — Wed, 20 Oct 2004 09:51:25 GMT

Hi, we're currently going through a security audit, and the old /etc/passwd file is not going to make it. To retain our client base, we need to enforce the following two policies and I'm not sure how to do it:
1) Maintain at least the last 4 passwords so that they cannot be duplicated.
2) Lock out account for at least 30 minutes if 6 straight unsuccessful login attempts.

I think the second one can be handled by switching to a trusted system, but I can't find anything on the first.
(By the way, we're running HP-UX 11i). I would appreciate any pointers, program recommendations, ideas, etc.

Re: Password auditing

Scott Palmer_1 — Wed, 20 Oct 2004 09:54:18 GMT

both can be handled by switching to trusted systems. You can also set the complexity of the password. I currently have mine set to disable the account after 5 unsuccessful tries at the password. And It also allows you to set the minimum time between password changes, so i cant change my password 5 times in one day to get back to my original password

Sincerely

--Scott palmer

Re: Password auditing

Sundar_7 — Wed, 20 Oct 2004 09:55:01 GMT

sure, you can achieve both the objectives by converting to a trusted system.

Once the system is converted to a trusted system edit the /etc/default/security file

# vi /etc/default/security
PASSWORD_HISTORY_DEPTH=4
#

This will ensure users will not be allowed to use the last 4 passwords.

Re: Password auditing

Sundar_7 — Wed, 20 Oct 2004 09:57:16 GMT

BTW, as far as the second item goes, you can lock the account after N number of unsuccessful login attempts.

But it will remain locked until you manually unlock the user account. You might have to run a script that checks for the locked accounts and unlock them periodically.

Re: Password auditing

Simon Hargrave — Wed, 20 Oct 2004 09:58:58 GMT

Trusted systems do maintain a password history, so you can implement the first requirement.

On a trusted system, edit /etc/default/security and change PASSWORD_HISTORY_DEPTH as required.

Password history is stored under /tcb/files/auth/system/pwhist

Re: Password auditing

Prashant Zanwar_4 — Wed, 20 Oct 2004 09:59:32 GMT

you can change the system to trusted mode using sam and also you can then edit the password policies as a whole and set them. And the users like root you can select individually later and change them to policy as you wish.

also

/etc/default/security can be like below..

PASSWORD_HISTORY_DEPTH=5
PASSWORD_MIN_LOWER_CASE_CHARS=2
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1

And also check you have all latest security patches installed..

Thanks
Prashant

Re: Password auditing

RAC_1 — Wed, 20 Oct 2004 10:01:11 GMT

Both can be taken care of.

For first, do man security. This file is /etc/default/security. You need to put option, PASSWORD_HISTORY_DEPTH=4

For 2nd requirement, convert to trusted system, the option you are looking for is umaxlntr, so what happens is after so many tries, the account will get locked. Getting it activated will require some scripting.

Check if account is locked(mlock), check is it locked because of unsuccessful logins(mlock), if yes, unlock after checking last unsuccessful login time(ulogint).

Anil

Re: Password auditing

Gary Hines — Wed, 20 Oct 2004 10:04:24 GMT

Thanks to all for the help. I guess it's time to start looking at a trusted system.

Re: Password auditing

Gary Hines — Wed, 20 Oct 2004 10:05:16 GMT

Thanks again!!