1833925 Members
3175 Online
110063 Solutions
New Discussion

/etc/default/security

 
SOLVED
Go to solution
OFC_EDM
Respected Contributor

/etc/default/security

Is the use of the /etc/default/security file only for Trusted systems?

Or can I implement this file on a vanilla install of HP-UX 11.11?
The Devil is in the detail.
13 REPLIES 13
James R. Ferguson
Acclaimed Contributor
Solution

Re: /etc/default/security

Hi Kevin:

You can use the 'etc/default/security' file on non-trusted systems.

Regards!

...JRF...
Steven E. Protter
Exalted Contributor

Re: /etc/default/security

Shalom Kevin

No, you can use it to set password requirements for length and complexity and a lot of other cool things that make your system more secure.

Shmuel
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: /etc/default/security

Shalom Kevin

No, you can use it to set password requirements for length and complexity and a lot of other cool things that make your system more secure.

Don't need to be trusted to be secure.

Shmuel
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
OFC_EDM
Respected Contributor

Re: /etc/default/security

Thanks for the replies so far.

I was reading up on the security file and am I correct that it only works for users using the RSH shell?
The Devil is in the detail.
Rick Garland
Honored Contributor

Re: /etc/default/security

No - will work for users using the ksh, bsh, csh, bash, etc...

James R. Ferguson
Acclaimed Contributor

Re: /etc/default/security

Kevin:

As an aside, trusted systems are scheduled to be deprecated upon the release of 11iv3. What we now know as trusted systems features will become standard in that release.

If you are running 11.23 (11iv2), however, you can obtain these features as an add-on:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=StdModSecExt
Regards!

...JRF...
OFC_EDM
Respected Contributor

Re: /etc/default/security

I tried putting a security file in /etc/default

Made it World readable and root writable.

Put only the following parameter

NUMBER_OF_LOGINS_ALLOWED=1

Should this not allow only 1 login session per user?

I was able to login as many times as I wanted after creating the file.

Is there anything I have to do to make the /etc/default/security file "active"??
The Devil is in the detail.
paolo barila
Valued Contributor

Re: /etc/default/security

# man security
share share share
OFC_EDM
Respected Contributor

Re: /etc/default/security

Paolo,

Don't know which man page you're reading. But the MAN page for security on my system only mentions (summarized):

1) create a /etc/default/security file
2) Make it World readable and root Writable.
3) Put in the parameter definitions.

I've done all this and it doesn't seem to do anything. So I'm asking if there's anything else that needs to be done to implement the security file?
The Devil is in the detail.
James R. Ferguson
Acclaimed Contributor

Re: /etc/default/security

Hi Kevin:

You need to see:

http://docs.hp.com/en/B2355-60127/security.4.html

Regards!

...JRF...
paolo barila
Valued Contributor

Re: /etc/default/security

Sorry, I didn't want to be unkind

if you use "ssh" maybe doesn't supports

NUMBER_OF_LOGINS_ALLOWED

try

NOLOGIN

feature

share share share
paolo barila
Valued Contributor

Re: /etc/default/security

Bill Hassell
Honored Contributor

Re: /etc/default/security

The security file has a FEW entries that work on an un-trusted system, but unfortunately, all of the options must be spelled exactly right, and your security patches must be up to date. If an option is not spelled right or there is a trailing # on the line, the line is silently ignored. Attached is sample security file with lots of comments. For a non-Trusted system, these items work OK (with security patches):

NOLOGIN=1
NUMBER_OF_LOGINS_ALLOWED=0
ABORT_LOGIN_ON_MISSING_HOMEDIR=0

You can also implement BOOT_AUTH and BOOT_USERS (but consider consequences if the root password is lost!).

The man page for security gives you the details on the settings.


Bill Hassell, sysadmin