topic Re: /etc/default/security file in Operating System - HP-UX

/etc/default/security file

David Land — Thu, 10 Mar 2005 16:46:47 GMT

I am running HP-UX 11i and I need to implement the password parameter restrictions that are located in the security file. However, I do not see this file in /etc/default directory.

I have a couple of questions on this:

1)Am I able to create the security file with the password parameters I want?

2)Is there any special file format that this needs to be in?

3)If I am able to create it, then do I need to do anything special in order for the system to start using the file?

Re: /etc/default/security file

Steven E. Protter — Thu, 10 Mar 2005 16:50:01 GMT

Attaching a self explanatory example, which will give you a starting point.

Our standard is passwords must be changed every 60 days, can not be changed twice in seven days and require one capital letter and one number, mimimum length, 6 I think.

See the file.

SEP

Re: /etc/default/security file

David Land — Thu, 10 Mar 2005 17:06:57 GMT

That helped. Now is there anything special that I have to do to make the system recognize the file? Or will it take immediate affect after it is created?

Re: /etc/default/security file

Bill Hassell — Thu, 10 Mar 2005 23:06:22 GMT

The details on /etc/default/security are in: man security

What is missing is the fact that there is no error checking and a # anywhere on the line invalidates or turns the entire line into a comment. Here is a heavily documented example file:

# Security file: /etc/default/security
# (man security)

# Features depend on HP-UX rev and patches. Not all features are
# available on older systems.
#
# No error checking, errors are silently ignored
#
# Comments (#) allowed only on separate line,
# no trailing # following a parameter or it
# will invalidate the setting

# Access controls (11.0 and higher)
#################

NOLOGIN=1
NUMBER_OF_LOGINS_ALLOWED=0
ABORT_LOGIN_ON_MISSING_HOMEDIR=0

# Single user mode authorization (11i and non-trusted only)
###########################################################

# Requires root password to get into single user mode
# BOOT_AUTH=1

# Users (besides root) that can boot into single user mode
# BOOT_USERS=bill,jane,joe

# Password controls - Trusted
###################

MIN_PASSWORD_LENGTH=6
PASSWORD_HISTORY_DEPTH=1
PASSWORD_MIN_UPPER_CASE_CHARS=0
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=0

# Non-Trusted or shadow password setup only:
# defaults: MAXDAYS=-1 MINDAYS=0
# These values are rounded to nearest week
# to meet passwd file standards.

# PASSWORD_MAXDAYS=120
# PASSWORD_MINDAYS=7

# WARNDAYS only available in Trusted systems
# PASSWORD_WARNDAYS=7

# Session controls
##################

SU_ROOT_GROUP=suroot
SU_DEFAULT_PATH=/usr/bin:/usr/contrib/bin:
UMASK=022
# SU_KEEP_ENV_VARS=LD_LIBRARY_PATH,SHLIB_PATH,LD_PRELOAD

Changes in this file take effect immediately. The tools that pay attention to the security file always read the file as they startup.

Re: /etc/default/security file

Mark Nieuwboer — Fri, 11 Mar 2005 06:10:36 GMT

Hi,

Its better that you use sam.
go to auditing and security then to system security policies and change what you want to change. It's better to leave the files if you not sure what everything means.

grtz. Mark

Re: /etc/default/security file

David Land — Fri, 11 Mar 2005 09:39:28 GMT

One last question: You can use this /etc/default/security file on a NON-TRUSTED system right? Or do you have to be trusted to make it work?