Operating System - HP-UX
1833873 Members
1786 Online
110063 Solutions
New Discussion

Patches needed for /etc/default/security

 
SOLVED
Go to solution
Chris Weislak
Advisor

Patches needed for /etc/default/security

I am trying to setup the /etc/default/security file on my HP-UX 11.0 system. I try to type 'man security' and nothing displays. I seen one referance to needing PHCO_27721 installed on the system. I have that one installed but I don't know what I am missing. Could anyone point me in the right direction?
9 REPLIES 9
Luk Vandenbussche
Honored Contributor

Re: Patches needed for /etc/default/security

Hi,

here you have the output van man security


security(4) security(4)

NAME
security - security defaults configuration file

DESCRIPTION
A number of system commands and features are configured based on
certain parameters defined in the /etc/default/security configuration
file. This file must be world readable and root writable.

Each line in the file is treated either as a comment or as
configuration information for a given system command or feature.
Comments are denoted by a # at the beginning of a line. Noncomment
lines are of the form, parameter=value.

If any parameter is not defined or is commented out in this file, the
default behavior detailed below will apply.

Parameter definitions, valid values, and defaults are defined as
follows:

ABORT_LOGIN_ON_MISSING_HOMEDIR
This parameter controls login behavior if a user's home
directory does not exist. This is applicable only for
non-root users.

ABORT_LOGIN_ON_MISSING_HOMEDIR=0 Login with '/' as
the home directory if the user's home directory does
not exist.

ABORT_LOGIN_ON_MISSING_HOMEDIR=1 Exit the login
session if the user's home directory does not exist.

Default value: ABORT_LOGIN_ON_MISSING_HOMEDIR=0

MIN_PASSWORD_LENGTH
This parameter controls the minimum length of new
passwords. It is not applicable to the root user on an
untrusted system.

MIN_PASSWORD_LENGTH=N New passwords must contain at
least N characters. For untrusted systems N can be any
value from 6 to 8. For trusted systems N can be any
value from 6 to 80.

Default value: MIN_PASSWORD_LENGTH=6

NOLOGIN This parameter controls whether non-root login can be
disabled by the /etc/nologin file.

NOLOGIN=0 Ignore the /etc/nologin file and do not
exit if the /etc/nologin file exists.

Hewlett-Packard Company - 1 - HP-UX Release 11i: Oct 2002

security(4) security(4)

NOLOGIN=1 Display the contents of the /etc/nologin
file and exit if the /etc/nologin file exists.

Default value: NOLOGIN=0

NUMBER_OF_LOGINS_ALLOWED
This parameter controls the number of simultaneous
logins allowed per user. This is applicable only for
non-root users.

NUMBER_OF_LOGINS_ALLOWED=0 Any number of logins are
allowed per user.

NUMBER_OF_LOGINS_ALLOWED=N N number of logins are
allowed per user.

Default value: NUMBER_OF_LOGINS_ALLOWED=0

PASSWORD_HISTORY_DEPTH
This parameter controls the password history depth. A
new password is checked only against the number of most
recently used passwords stored in password history for
a particular user. A user is not allowed to re-use a
previously used password.

PASSWORD_HISTORY_DEPTH=N A new password is checked
against only the N most recently used passwords for a
particular user.

A configuration of password history depth of 2 prevents
users from alternating between two passwords. The
maximum password history depth supported is 10 and the
minimum password history depth supported is 1. A depth
configuration of more than 10 will be treated as 10,
and a depth configuration of less than 1 will be
treated as 1.

The password history depth configuration is on a system
basis and is supported in trusted system for users in
files repository only. This feature does not support
the users in NIS or NISPLUS repositories. Once the
feature is enabled, all the users on the system are
subject to the same check. If this parameter is not
configured, the password history check feature is
automatically disabled. When the feature is disabled,
the password history check depth is set to 1.

A password change is subject to all of the other rules
for a new password including a check with the current
password.

Hewlett-Packard Company - 2 - HP-UX Release 11i: Oct 2002

security(4) security(4)

Default value: PASSWORD_HISTORY_DEPTH=1

PASSWORD_MIN__CHARS
Parameters of this form are used to require new
passwords to have a minimum number of characters of
particular types (upper case, lower case, digits or
special characters). This can be helpful in enforcing
site security policies about selecting passwords that
are not easy to guess.

Note: These parameters apply only if the libpam_unix
patch PHCO_24606 or later is installed.

PASSWORD_MIN_UPPER_CASE_CHARS=N Specifies that a
minimum of N upper-case characters are required in a
password when changed.

PASSWORD_MIN_LOWER_CASE_CHARS=N Specifies that a
minimum of N lower-case characters are required in a
password when changed.

PASSWORD_MIN_DIGIT_CHARS=N Specifies that a minimum
of N digit characters are required in a password when
changed.

PASSWORD_MIN_SPECIAL_CHARS=N Specifies that a minimum
of N special characters are required in a password when
changed.

Default value: The default for each of these parameters
is zero.

SU_KEEP_ENV_VARS
This parameter forces su to propagate certain 'unsafe'
environment variables to its children despite the
security risk of doing so.

Note: This parameter is supported by the su patch
PHCO_27781 or later. By default, su does not export
the environment variables LD_LIBRARY_PATH, SHLIB_PATH
or LD_PRELOAD because they could be maliciously
misused. Any combination of these can be specified in
this entry, with a comma separating the variables.
Currently no other environment variables may be
specified in this way. This may change in future HP-UX
releases as security needs require.

SU_KEEP_ENV_VARS=var1,var2,...varN

Default value: If this parameter is not defined or if
it is commented out, none of these three environment

Hewlett-Packard Company - 3 - HP-UX Release 11i: Oct 2002

security(4) security(4)

variables will be propagated by the su command.

SU_ROOT_GROUP
This parameter defines the root group name for the su
command. Refer to su(1).

SU_ROOT_GROUP=group_name The root group name is set to
the specified symbolic group name. The su command
enforces the restriction that a non-superuser must be a
member of the specified root group to be allowed to su
to root. This does not alter password checking.

Default value: If this parameter is not defined or if
it is commented out, there is no default value. In
this case, a non superuser is allowed to be superuser
and su to root without being bound by root group
restrictions.

SU_DEFAULT_PATH
This parameter defines a new default PATH environment
value to be set when su to a non-superuser account is
done. Refer to su(1).

SU_DEFAULT_PATH=new_PATH

The PATH environment variable is set to new_PATH when
the su command is invoked. The path value is not
validated. This parameter does not apply to a
superuser account, and is applicable only when the "-"
option is not used with the su command.

Default value: PATH is not changed.

AUTHOR
security was developed by HP.

FILES
/etc/default/security

SEE ALSO
init(1M), login(1), passwd(1), su(1), pam_unix(5).

Hewlett-Packard Company - 4 - HP-UX Release 11i: Oct 2002
Chris Weislak
Advisor

Re: Patches needed for /etc/default/security

Thank You...that is a start...I tried to implement it on a test system and it did not work...I was not sure if I am missing a patch on the system or what was originally required to enable the security file to work.
Steven E. Protter
Exalted Contributor

Re: Patches needed for /etc/default/security

Shalom Chris,

I don't think its going to work.

Hewlett-Packard Company - 1 - HP-UX Release 11i: Oct 2002

It may be an 11.11 added feature.

http://www.hp.com/products1/unix/operating/security/

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Chris Weislak
Advisor

Re: Patches needed for /etc/default/security

Peace to you as well...
That is one of my fears. I was reading an artical by Chris Wong that turned me onto that file. He stated that you would need the effective patch of PHCO_27721 for HP-UX 11.0.
http://newfdawg.com/SHP-RestShell.htm

I was hoping I could do it on this system but haven't been able to.
James R. Ferguson
Acclaimed Contributor

Re: Patches needed for /etc/default/security

Hi Chris:

You *can* indeed use the '/etc/default/security' mechanism on 11.0. As I recall, it wasn't documented until later.

The patch notes for PHCO_27721 note, "...an /etc/default/security file must be created if it does not already exist. This file should be world readable and root writeable."

Regards!

..JRF...
Pete Randall
Outstanding Contributor
Solution

Re: Patches needed for /etc/default/security

Steven E. Protter
Exalted Contributor

Re: Patches needed for /etc/default/security

The feature is indeed undocumented but working fine on an 11.00 system here.

PHCO_27721 is installed.

Should have checked that.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Chris Weislak
Advisor

Re: Patches needed for /etc/default/security

I think I am going to have to reapply that patch then. Thank you all so much for all your help.
Chris Weislak
Advisor

Re: Patches needed for /etc/default/security

I will repatch the system and go from there.