HPE Community
Operating System - HP-UX
1832856 Members
3194 Online
110047 Solutions
New Discussion

Re: Password auditing

 
SOLVED
Go to solution
Gary Hines
Advisor

‎10-20-2004 02:51 AM

‎10-20-2004 02:51 AM

Password auditing

Hi, we're currently going through a security audit, and the old /etc/passwd file is not going to make it. To retain our client base, we need to enforce the following two policies and I'm not sure how to do it:
1) Maintain at least the last 4 passwords so that they cannot be duplicated.
2) Lock out account for at least 30 minutes if 6 straight unsuccessful login attempts.

I think the second one can be handled by switching to a trusted system, but I can't find anything on the first.
(By the way, we're running HP-UX 11i). I would appreciate any pointers, program recommendations, ideas, etc.
0 Kudos
8 REPLIES 8
Scott Palmer_1
Trusted Contributor

‎10-20-2004 02:54 AM

‎10-20-2004 02:54 AM

Solution

Re: Password auditing

both can be handled by switching to trusted systems. You can also set the complexity of the password. I currently have mine set to disable the account after 5 unsuccessful tries at the password. And It also allows you to set the minimum time between password changes, so i cant change my password 5 times in one day to get back to my original password

Sincerely

--Scott palmer
0 Kudos
Sundar_7
Honored Contributor

‎10-20-2004 02:55 AM

‎10-20-2004 02:55 AM

Re: Password auditing

sure, you can achieve both the objectives by converting to a trusted system.

Once the system is converted to a trusted system edit the /etc/default/security file

# vi /etc/default/security
PASSWORD_HISTORY_DEPTH=4
#

This will ensure users will not be allowed to use the last 4 passwords.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Sundar_7
Honored Contributor

‎10-20-2004 02:57 AM

‎10-20-2004 02:57 AM

Re: Password auditing

BTW, as far as the second item goes, you can lock the account after N number of unsuccessful login attempts.

But it will remain locked until you manually unlock the user account. You might have to run a script that checks for the locked accounts and unlock them periodically.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Simon Hargrave
Honored Contributor

‎10-20-2004 02:58 AM

‎10-20-2004 02:58 AM

Re: Password auditing

Trusted systems do maintain a password history, so you can implement the first requirement.

On a trusted system, edit /etc/default/security and change PASSWORD_HISTORY_DEPTH as required.

Password history is stored under /tcb/files/auth/system/pwhist
0 Kudos
Prashant Zanwar_4
Respected Contributor

‎10-20-2004 02:59 AM

‎10-20-2004 02:59 AM

Re: Password auditing

you can change the system to trusted mode using sam and also you can then edit the password policies as a whole and set them. And the users like root you can select individually later and change them to policy as you wish.

also

/etc/default/security can be like below..

PASSWORD_HISTORY_DEPTH=5
PASSWORD_MIN_LOWER_CASE_CHARS=2
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1


And also check you have all latest security patches installed..

Thanks
Prashant
"Intellect distinguishes between the possible and the impossible; reason distinguishes between the sensible and the senseless. Even the possible can be senseless."
0 Kudos
RAC_1
Honored Contributor

‎10-20-2004 03:01 AM

‎10-20-2004 03:01 AM

Re: Password auditing

Both can be taken care of.

For first, do man security. This file is /etc/default/security. You need to put option, PASSWORD_HISTORY_DEPTH=4

For 2nd requirement, convert to trusted system, the option you are looking for is umaxlntr, so what happens is after so many tries, the account will get locked. Getting it activated will require some scripting.

Check if account is locked(mlock), check is it locked because of unsuccessful logins(mlock), if yes, unlock after checking last unsuccessful login time(ulogint).

Anil
There is no substitute to HARDWORK
0 Kudos
Gary Hines
Advisor

‎10-20-2004 03:04 AM

‎10-20-2004 03:04 AM

Re: Password auditing

Thanks to all for the help. I guess it's time to start looking at a trusted system.
0 Kudos
Gary Hines
Advisor

‎10-20-2004 03:05 AM

‎10-20-2004 03:05 AM

Re: Password auditing

Thanks again!!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.