HPE Community
Integrity Servers
1752805 Members
5748 Online
108789 Solutions
New Discussion

Re: How to edit default security file

 
rajesh73
Super Advisor

‎01-30-2019 07:29 PM

‎01-30-2019 07:29 PM

How to edit default security file

We have received the request to change the password policy ,like password age, password Max days, password length.

What is the procedure to edit /etc/default/security. After change we need to restart any services ?..
0 Kudos
Reply
1 REPLY 1
Bill Hassell
Honored Contributor

‎02-02-2019 11:08 PM

‎02-02-2019 11:08 PM

Re: How to edit default security file

The security file (/etc/default/security) has existed for many versions of HP-UX and is very badly documented in each release. Also, mistakes in the file, setting options that don't apply to your version, or lines with # anywhere on the line are ignored without comment. The only doc for this file is the man page: security

If you don't have your system setup as a Trusted System, that will be your first task. The majority of the security options are active for Trusted Systems. To see if your system is Trusted, do this:

# ls -ld /tcb

If the /tcb directory is not there, your system is not trusted.

Here is a heavily commented security file that you can use as a starting point:

# Security file: /etc/default/security -- 11.00 and higher only
# Note: the contents of the security file are only meaningful
#       at specific versions of HP-UX and security patches.
#       And at 11.23 2005, a product called
#            "Standard Mode Security Extensions"
#       was created and adds additional security features to a non-Trusted
#       system. So the only accurate documentation as to the working options
#       in the security is: man security

# Comments (#) allowed only on separate line,
#    trailing or imbedded # signs will invalidate the line
###########################################################

# NOLOGIN=1 will enable the no logins allowed policy.
# This prevents *ANY* non-root user from logging in when the file
#   /etc/nologin
# exists.  This file can be anything (including null) but will
# be displayed before auto-logoff. Typically, a message about
# system maintenance is stored there:
#
# SYSTEM ABC IS DOWN FOR MAINTENENCE, BACK at 11am
#
# Remove the file for normal logins.

NOLOGIN=1
NUMBER_OF_LOGINS_ALLOWED=0
ABORT_LOGIN_ON_MISSING_HOMEDIR=0

# Single user mode authorization (11i and non-trusted only)
###########################################################
# Requires root password to get into single user mode (CAREFUL)
#     BOOT_AUTH=1

# Users (besides root) that can boot into single user mode
#     BOOT_USERS=bill,jane,joe

# Password controls - Trusted Systems only
###################

MIN_PASSWORD_LENGTH=6
PASSWORD_HISTORY_DEPTH=1
PASSWORD_MIN_UPPER_CASE_CHARS=0
PASSWORD_MIN_LOWER_CASE_CHARS=0
PASSWORD_MIN_DIGIT_CHARS=0
PASSWORD_MIN_SPECIAL_CHARS=0

# Non-Trusted or shadow password setup only:
# defaults: MAXDAYS=-1 MINDAYS=0 WARNDAYS=0

#    PASSWORD_MAXDAYS=120
#    PASSWORD_MINDAYS=7
#    PASSWORD_WARNDAYS=7

# Session controls
##################

UMASK=022

## SU_ROOT_GROUP=suroot
## SU_DEFAULT_PATH=/usr/bin:/usr/contrib/bin:
#    SU_KEEP_ENV_VARS=LD_LIBRARY_PATH,SHLIB_PATH,LD_PRELOAD


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.