topic Re: /etc/default/security in Operating System - HP-UX

/etc/default/security

OFC_EDM — Thu, 09 Feb 2006 16:42:02 GMT

Is the use of the /etc/default/security file only for Trusted systems?

Or can I implement this file on a vanilla install of HP-UX 11.11?

Re: /etc/default/security

James R. Ferguson — Thu, 09 Feb 2006 16:50:14 GMT

Hi Kevin:

You can use the 'etc/default/security' file on non-trusted systems.

Regards!

...JRF...

Re: /etc/default/security

Steven E. Protter — Thu, 09 Feb 2006 16:53:25 GMT

Shalom Kevin

No, you can use it to set password requirements for length and complexity and a lot of other cool things that make your system more secure.

Shmuel

Re: /etc/default/security

Steven E. Protter — Thu, 09 Feb 2006 16:53:51 GMT

Shalom Kevin

No, you can use it to set password requirements for length and complexity and a lot of other cool things that make your system more secure.

Don't need to be trusted to be secure.

Shmuel

Re: /etc/default/security

OFC_EDM — Thu, 09 Feb 2006 16:57:50 GMT

Thanks for the replies so far.

I was reading up on the security file and am I correct that it only works for users using the RSH shell?

Re: /etc/default/security

Rick Garland — Thu, 09 Feb 2006 17:00:50 GMT

No - will work for users using the ksh, bsh, csh, bash, etc...

Re: /etc/default/security

James R. Ferguson — Thu, 09 Feb 2006 17:03:33 GMT

Kevin:

As an aside, trusted systems are scheduled to be deprecated upon the release of 11iv3. What we now know as trusted systems features will become standard in that release.

If you are running 11.23 (11iv2), however, you can obtain these features as an add-on:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=StdModSecExt
Regards!

...JRF...

Re: /etc/default/security

OFC_EDM — Thu, 09 Feb 2006 17:05:52 GMT

I tried putting a security file in /etc/default

Made it World readable and root writable.

Put only the following parameter

NUMBER_OF_LOGINS_ALLOWED=1

Should this not allow only 1 login session per user?

I was able to login as many times as I wanted after creating the file.

Is there anything I have to do to make the /etc/default/security file "active"??

Re: /etc/default/security

paolo barila — Thu, 09 Feb 2006 17:33:41 GMT

# man security

Re: /etc/default/security

OFC_EDM — Thu, 09 Feb 2006 17:38:28 GMT

Paolo,

Don't know which man page you're reading. But the MAN page for security on my system only mentions (summarized):

1) create a /etc/default/security file
2) Make it World readable and root Writable.
3) Put in the parameter definitions.

I've done all this and it doesn't seem to do anything. So I'm asking if there's anything else that needs to be done to implement the security file?

Re: /etc/default/security

James R. Ferguson — Thu, 09 Feb 2006 17:53:47 GMT

Hi Kevin:

You need to see:

http://docs.hp.com/en/B2355-60127/security.4.html

Regards!

...JRF...

Re: /etc/default/security

paolo barila — Thu, 09 Feb 2006 17:56:20 GMT

Sorry, I didn't want to be unkind

if you use "ssh" maybe doesn't supports

NUMBER_OF_LOGINS_ALLOWED

try

NOLOGIN

feature

Re: /etc/default/security

paolo barila — Thu, 09 Feb 2006 18:00:28 GMT

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=860549

Re: /etc/default/security

Bill Hassell — Fri, 10 Feb 2006 03:08:00 GMT

The security file has a FEW entries that work on an un-trusted system, but unfortunately, all of the options must be spelled exactly right, and your security patches must be up to date. If an option is not spelled right or there is a trailing # on the line, the line is silently ignored. Attached is sample security file with lots of comments. For a non-Trusted system, these items work OK (with security patches):

NOLOGIN=1
NUMBER_OF_LOGINS_ALLOWED=0
ABORT_LOGIN_ON_MISSING_HOMEDIR=0

You can also implement BOOT_AUTH and BOOT_USERS (but consider consequences if the root password is lost!).

The man page for security gives you the details on the settings.