Security
cancel
Showing results for 
Search instead for 
Did you mean: 

PLEASE HELP!! ALL ABOUT ENHANCED SECURITY

SOLVED
Go to solution
Mushy_1
Occasional Advisor

PLEASE HELP!! ALL ABOUT ENHANCED SECURITY

Hi!

We are using Digital Unix V4.0D. I have recently enabled the enhanced security feature and there are several things that i needed to setup. Can anyone help how to do the ffg settings?

*minimum password length
*maximum signon attempts
*minimum non alpha for passwords
*password history size
*maximum password age ( aging)
*inactivity interval - duration of inactivity after which a user will be logged off auto
*not allow trivial passwords - passwords equal to user ID not allowed

I sure hope someone can help me out. I am very new in the UNIX environment and i really need a helping hand. Any info will be highly appreciated.

Thanks!
Life and Death are in the power of the tongue!
8 REPLIES
Alexey Borchev
Regular Advisor

Re: PLEASE HELP!! ALL ABOUT ENHANCED SECURITY

1) RTFM. You can read Tru64 docs online -starting from the bottom of Tru64 forum page. Try reading:
# man prpasswd
and pressing F1 in account manager :-)

My settings (dictated by corporate poilcies)
minimum password length = 6, max=8
*maximum signon attempts = 3
*minimum non alpha for passwords
- I am using system-generated prononceble password. I do recommend the feature.
*password history size = 6
*maximum password age ( aging) = 60 days
*inactivity interval - duration of inactivity after which a user will be logged off auto
-it has another meaning! if user did not log in during last <90> days, account will be locked.

Good luck!

The fire follows shedule...
Victor Semaska_3
Esteemed Contributor
Solution

Re: PLEASE HELP!! ALL ABOUT ENHANCED SECURITY

You could use the GUI interface if you have a graphics console.

/usr/bin/X11/dxaccounts -> View -> Local Templates -> default -> Security...

In the 'Account Manager: Security Controls' window there's the 'Turn To' box. Step thru each one and make your settings. There's on-line help that explains each field.

Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
Ann Majeske
Honored Contributor

Re: PLEASE HELP!! ALL ABOUT ENHANCED SECURITY

The GUI was different for V4.0D, so the sequence might be slightly different than Vic's answer.

Ann
Ann Majeske
Honored Contributor

Re: PLEASE HELP!! ALL ABOUT ENHANCED SECURITY

Also, check out the Security manual. Lots of stuff in there.
Mushy_1
Occasional Advisor

Re: PLEASE HELP!! ALL ABOUT ENHANCED SECURITY

gee! thanks for your help guys. i have everything set already except for the inactivity interval. i need to set it at 15mins. however, i do not know which item it is. can you help me? im a bit confused with the descriptions.

also, can i delete user (not retire) at the account manager? i wanted it removed so it wont appear at the /etc/passwd file. can i do that? how?
Life and Death are in the power of the tongue!
Alexey Borchev
Regular Advisor

Re: PLEASE HELP!! ALL ABOUT ENHANCED SECURITY

1) If You want to log off user after 15 min inactivity, there is special variable in ksh,
TMOUT - inactivity timeout in seconds.
Set it in /usr/users/username/.profile of your users.

2) As far as I know, retire is the only supported way. And it is the right way - because if You remove the user, the audit records about this user will become useless.
I've managed to remove NIS accounts manually from /var/yp/src/prpasswd, but this UN-supported.
The fire follows shedule...
Victor Semaska_3
Esteemed Contributor

Re: PLEASE HELP!! ALL ABOUT ENHANCED SECURITY

Mushy,

The way I've deleted accounts is by the following:

Remove the entry from TCB:
# /tcb/bin/edauth -r

Edit/etc/passwd and remove the line for :
# /usr/sbin/vipw

Verify that everything is OK:
# /tcb/bin/authck -av

Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
Ann Majeske
Honored Contributor

Re: PLEASE HELP!! ALL ABOUT ENHANCED SECURITY

The capability to delete (rather than retire) an Enhanced Security user account was added to a later version of dxaccounts due to customer demand. Even though, as Alexey pointed out, using it can reduce the security of your system in a variety of ways.

Vic has the correct procedure for deleting users on older versions. Make sure you do the commands in the order he listed, if you reverse them it won't work. You should delete the user's home directory as well and, to retain a reasonable level of security on the system, search all of the disks and remove any files and directories owned by that user before you re-use the uid.

Ann