topic Re: /etc/defaults/security file in Operating System - HP-UX

/etc/defaults/security file

Jeffrey S. Sims — Tue, 26 Mar 2002 02:19:14 GMT

Hello all,

I have a curiosity question which may turn into something useful. I am running HPUX 10.20 (trusted system) and I was reading an HPUX 11i security book (very informative by the way) but anyway, I came across a section on the /etc/defaults/security file to restrict different things on the trusted system.

I was wondering if this is only applicable to HPUX 11i trusted systems and not HPUX 10.20? I looked in the defaults directory and no security file existed but I was wondering if I could create one and it work?

Thanks for any help you can lend. (yes I award points for helpful info, maybe even intriguing info so don't be shy).

Jeff

Re: /etc/defaults/security file

Michael Tully — Tue, 26 Mar 2002 02:42:05 GMT

Hi,

Yes the /etc/defaults/security was introduced in HPUX 11i. There is a write up of it in the system release notes. Here is the link. Look in
the chapter on security.

http://www.docs.hp.com/hpux/onlinedocs/5185-4304/5185-4304.html

There is a man page for these new features,
# man 4 security.

HTH
-Michael

Re: /etc/defaults/security file

S.K. Chan — Tue, 26 Mar 2002 03:05:35 GMT

Basically it's functionality includes ..
1) Ordinary users being able to set all environment variables except PATH and SHELL.
2) Resricted shell users can set environment variables based on what's defined in /etc/defaults/security.
2a) RSH_SECURITY=0 means all variables can be set.
2b) RSH_SECURITY=1,only IFS, HOME, and ENV are restricted.
2c) RSH_SECURITY=2 (default setting) only TERM and DISPLAY are allowed.

If you want this function make sure yo got the appropriate login cumulative patches ..
a) 10.20 PHCO_24267
b) 11.00 PHCO_24083
c) 11.11 PHCO_23900

These patches may be superseeded already.

Re: /etc/defaults/security file

Jeffrey S. Sims — Tue, 26 Mar 2002 03:40:51 GMT

Thanks for the info. I was hoping I would be able to use it with 10.20 but I guess we don't always get what we wish for.

Re: /etc/defaults/security file

David Lodge — Wed, 10 Apr 2002 10:50:39 GMT

Further note on the above: /etc/default/security was actually introduced for HP-UX 11.00 - originally for password history depth. The (IIRC) September 2001 patch bundle added a host more of the 11i /etc/default/security features...

Re: /etc/defaults/security file

Michael Campbell — Wed, 31 Jul 2002 09:51:01 GMT

Folks

Three quick questions:
1) Can I use /etc/defaults/security in HP-UX 11.0?
2) If so, which patches do I need to have installed?
3) Are all the password restrictions available?

Regards

Michael

Re: /etc/defaults/security file

Bill Hassell — Wed, 31 Jul 2002 10:17:45 GMT

As far as 10.20, HP announced the pending obsolescence of 10.20 last year and it became obsolete last month. The last Support Plus patch CD for 10.20 was December 2001. So other than security or Y2K issues, 10.20 is no longer recommended. Note that 11.0 is pretty darn old too, Nov 1997. I would definitely make plans to move to 11i as soon as possible.

For 11.0 systems, you can add patch PHCO_26089 (or replacement if superceeded). Unfortunately, the man page for security was left off the early patches for 11.0--get the details from docs.hp.com by searching for something like PASSWORD_HISTORY_DEPTH which is a pretty unique keyword. Look for the security(4) man page. Or login to any 11i system and type man security.

Re: /etc/defaults/security file

V. V. Ravi Kumar_1 — Wed, 31 Jul 2002 10:31:15 GMT

hi,
iam using it with 11.00 and i have the following entries.

PASSWORD_HISTORY_DEPTH=5
SU_ROOT_GROUP=sysadmin

the first line indicates that a user can not give last 5 passwords when he wants to change.

second entry is user belongs to sysadmin only able to su to root.

i don't know whether it works with 10.x

regds