HPE Community
Operating System - HP-UX
1752440 Members
5839 Online
108788 Solutions
New Discussion юеВ

Account Lockout after max tries

 
HPAuditor
New Member

тАО06-30-2016 07:22 AM

тАО06-30-2016 07:22 AM

Account Lockout after max tries

Hello all,

I am auditing several HP-UX systems, some newer 11i and couple older 11.x. Question is that on the 11 i servers I find a /etc/default/security file to locate the Auth_maxtries for failed logins. However on the 11.x servers the /etc/default/security file does not exist. None of the systems are trusted or using pam according to admins. Is there another file which can control the failed logn maximum on either the 11.x server or the 11i servers?

Thank you in advance for assistance.

0 Kudos
Reply
2 REPLIES 2
Steven Schweda
Honored Contributor

тАО06-30-2016 08:35 PM

тАО06-30-2016 08:35 PM

Re: Account Lockout after max tries

> [...] some newer 11i and couple older 11.x.

   "11i" is "11.x".  Actual output from "uname -a" might be more helpful
than your interpretation of the version(s).

0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО06-30-2016 08:46 PM

тАО06-30-2016 08:46 PM

Re: Account Lockout after max tries

The marketing terms 11i and 11.x are not meaningful. There are specific HP-UX releases which are summarized here: 

https://en.wikipedia.org/wiki/HP-UX

There are, unfortunately, several different security choices for HP-UX systems with no consistent method to determine features and settings. A basic HP-UX install is loosely called standard security and there is no retry limit or lockout due to bad passwords. The HP-UX system may be converted to a trusted system (Trusted Computing Base or TCB) which has the largest number of choices for authentication and password controls. The system might have the Shadow Password package installed or might have SMSE (Standard Mode Security Extension) installed. 

TCB, Shadow and SMSE do have controls for retry lockout but there are different commands needed to query the setting. While the /etc/default/security file may or may not exist, lack of a common query tool (and validation of settings) makes this file very unreliable. A simple spelling error in the security file will cause the setting to be ignored and the default for the security method to be (silently) ignored. Or the security file could be copied from another system. But the file itself will not change the security environment.

So here is how to identify the 4 security environments:

TCB: has the directory /tcb
Shadow: has the file /etc/shadow
SMSE: userdbget -a

If none of the above work, then the system is Standard security. No lockout due to incorrect passwords.



Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.