System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Qualys scan complains on password history depth on HP-UX 11.31 , what am I missing ?

nnrao1502
Occasional Advisor

Qualys scan complains on password history depth on HP-UX 11.31 , what am I missing ?

Hello HP-UX experts,

 I  have a 11.31 server,  and shadow  file was  setup by pwconv ......  /etc/default/security had entries   for passoword  history depth and  minimum special characters required , but qualys scan still complains on both parameters. What is the issue here?   Thanks you very much in advance.  Scan doesn't show  if  it has issue with particular ID.

/ #  grep -i depth /etc/default/security
# Password history depth
PASSWORD_HISTORY_DEPTH=12

/ # grep -i special /etc/default/security
PASSWORD_MIN_SPECIAL_CHARS=2

/ # grep test /etc/shadow
testuser1:YkeyDQSfkD7Xo:17641:1:84:0:90::

 

 

4 REPLIES
Patrick Wallek
Honored Contributor

Re: Qualys scan complains on password history depth on HP-UX 11.31 , what am I missing ?

>>but qualys scan still complains on both parameters

What's the message Qualys is giving?  Knowing that could help to diagnose the issue.

Have you contacted Qualys to see what they say?

Bill Hassell
Honored Contributor

Re: Qualys scan complains on password history depth on HP-UX 11.31 , what am I missing ?

If you setup just shadow password file, then most of the items in the security defaults file are not applicable.

The security file settings have entries that apply to specific security environments.
For password history and other password controls, your system must be converted to a Trusted System.
You can use SAM or SMH to convert the system security to Trusted (recommended best practice).

Be sure to test the settings. HP-UX provides no feedback when settings are spelled incorrectly, have invalid values or (most important) have a # character ANYWHERE on the line. 
This bizarre behavior isn't documented in the man pages and turns perfectly good directives into comments without any warning.

Here is a sample security file with detailed comments about applicability:

# NOTE!!!!!! A newer version of /etc/default/security
# template file may have been installed. Please refer to
# /usr/newconfig/etc/default/security and security(4)
# manual page for the most up-to-date information of
# the supported variables.
#

#####################################################################
#####################################################################
##                                                                 ##
##  Security file: /etc/default/security -- 11.00 and higher only  ##
##                                                                 ##
#####################################################################
#####################################################################

# Note: the contents of the security file settings are version
#       specific.  See the man page: : man security

# Comments (#) allowed only on separate line,
#    *MO* trailing or imbedded # or it will invalidate the setting
#    (just like syslog.conf)

# Access controls (11.0 and higher)
###########################################################

# NOLOGIN=1 will enable the no logins allowed policy.
# NOTE: This
# attribute only applies to the applications that
# use session management services provided by
# pam_hpsec(5) as configured in /etc/pam.conf, or
# those services that indirectly invoke the
# login(1) command.
#
# This prevents *ANY* non-root user from logging in when the file
#   /etc/nologin
# exists.  This file can be anything (including null) but will
# be displayed before auto-logoff. Typically, a message about
# system maintenance is stored there:
#
# SYSTEM ABC IS DOWN FOR MAINTENENCE, BACK at 11am
#
# Remove the file for normal logins.

NOLOGIN=1

# Number of logins allowed for each user (0=unlimited)

NUMBER_OF_LOGINS_ALLOWED=0
ABORT_LOGIN_ON_MISSING_HOMEDIR=0

# Standard and Shadow modes only: Enable or
# disable the display of the last successful
# and unsuccessful login at the next login.
# (1=enable, 0=disable)

DISPLAY_LAST_LOGIN=0

# Standard and Shadow modes only: Expire non
# root local accounts that have had no logins
# for the specified number of days. If zero,
# inactive accounts are not expired.

INACTIVITY_MAXDAYS=0

# Standard and Shadow modes only: Allow
# logins only during specified time periods.
# LOGIN_TIMES=Any


# Single user mode authorization (11i and non-trusted only)
###########################################################
# Requires root password to get into single user mode (CAREFUL)
#     BOOT_AUTH=1

# Users (besides root) that can boot into single user mode
#     BOOT_USERS=bill,jane,joe

# Password controls - Trusted Systems only
###################

ALLOW_NULL_PASSWORD=0
MIN_PASSWORD_LENGTH=6
PASSWORD_HISTORY_DEPTH=1
PASSWORD_MIN_UPPER_CASE_CHARS=0
PASSWORD_MIN_LOWER_CASE_CHARS=0
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=0

# Non-Trusted or shadow password setup only:
# defaults: MAXDAYS=-1 MINDAYS=0 WARNDAYS=0

PASSWORD_MAXDAYS=120
PASSWORD_MINDAYS=7
PASSWORD_WARNDAYS=7

# Session controls
##################


# Default umask value upon login. Note: This
# attribute controls umask(2) of all sessions
# initiated via pam_unix(5) and/or pam_hpsec(5).
# Must have a leading zero to denote octal.

UMASK=0022

# User logins
#############

AUTH_MAXTRIES=9
# LOGIN_TIMES=Any
# AUDIT_FLAG=1


# su controls
#############
## default values:
## SU_ROOT_GROUP=suroot
## SU_DEFAULT_PATH=/usr/bin:/usr/contrib/bin:
## SU_KEEP_ENV_VARS=LD_LIBRARY_PATH,SHLIB_PATH,LD_PRELOAD


 



Bill Hassell, sysadmin
nnrao1502
Occasional Advisor

Re: Qualys scan complains on password history depth on HP-UX 11.31 , what am I missing ?

Thanks patrick for response , havn't conatcted Qualys yet ...... Qualys scan report shows  that history depth was not set up

nnrao1502
Occasional Advisor

Re: Qualys scan complains on password history depth on HP-UX 11.31 , what am I missing ?

Thanks Bill for your response. I will take a look, test and update you.