- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Qualys scan complains on password history dept...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-20-2018 03:43 PM
тАО04-20-2018 03:43 PM
Qualys scan complains on password history depth on HP-UX 11.31 , what am I missing ?
Hello HP-UX experts,
I have a 11.31 server, and shadow file was setup by pwconv ...... /etc/default/security had entries for passoword history depth and minimum special characters required , but qualys scan still complains on both parameters. What is the issue here? Thanks you very much in advance. Scan doesn't show if it has issue with particular ID.
/ # grep -i depth /etc/default/security
# Password history depth
PASSWORD_HISTORY_DEPTH=12
/ # grep -i special /etc/default/security
PASSWORD_MIN_SPECIAL_CHARS=2
/ # grep test /etc/shadow
testuser1:YkeyDQSfkD7Xo:17641:1:84:0:90::
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-20-2018 07:04 PM
тАО04-20-2018 07:04 PM
Re: Qualys scan complains on password history depth on HP-UX 11.31 , what am I missing ?
>>but qualys scan still complains on both parameters
What's the message Qualys is giving? Knowing that could help to diagnose the issue.
Have you contacted Qualys to see what they say?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-22-2018 11:03 PM - edited тАО04-22-2018 11:18 PM
тАО04-22-2018 11:03 PM - edited тАО04-22-2018 11:18 PM
Re: Qualys scan complains on password history depth on HP-UX 11.31 , what am I missing ?
If you setup just shadow password file, then most of the items in the security defaults file are not applicable.
The security file settings have entries that apply to specific security environments.
For password history and other password controls, your system must be converted to a Trusted System.
You can use SAM or SMH to convert the system security to Trusted (recommended best practice).
Be sure to test the settings. HP-UX provides no feedback when settings are spelled incorrectly, have invalid values or (most important) have a # character ANYWHERE on the line.
This bizarre behavior isn't documented in the man pages and turns perfectly good directives into comments without any warning.
Here is a sample security file with detailed comments about applicability:
# NOTE!!!!!! A newer version of /etc/default/security # template file may have been installed. Please refer to # /usr/newconfig/etc/default/security and security(4) # manual page for the most up-to-date information of # the supported variables. # ##################################################################### ##################################################################### ## ## ## Security file: /etc/default/security -- 11.00 and higher only ## ## ## ##################################################################### ##################################################################### # Note: the contents of the security file settings are version # specific. See the man page: : man security # Comments (#) allowed only on separate line, # *MO* trailing or imbedded # or it will invalidate the setting # (just like syslog.conf) # Access controls (11.0 and higher) ########################################################### # NOLOGIN=1 will enable the no logins allowed policy. # NOTE: This # attribute only applies to the applications that # use session management services provided by # pam_hpsec(5) as configured in /etc/pam.conf, or # those services that indirectly invoke the # login(1) command. # # This prevents *ANY* non-root user from logging in when the file # /etc/nologin # exists. This file can be anything (including null) but will # be displayed before auto-logoff. Typically, a message about # system maintenance is stored there: # # SYSTEM ABC IS DOWN FOR MAINTENENCE, BACK at 11am # # Remove the file for normal logins. NOLOGIN=1 # Number of logins allowed for each user (0=unlimited) NUMBER_OF_LOGINS_ALLOWED=0 ABORT_LOGIN_ON_MISSING_HOMEDIR=0 # Standard and Shadow modes only: Enable or # disable the display of the last successful # and unsuccessful login at the next login. # (1=enable, 0=disable) DISPLAY_LAST_LOGIN=0 # Standard and Shadow modes only: Expire non # root local accounts that have had no logins # for the specified number of days. If zero, # inactive accounts are not expired. INACTIVITY_MAXDAYS=0 # Standard and Shadow modes only: Allow # logins only during specified time periods. # LOGIN_TIMES=Any # Single user mode authorization (11i and non-trusted only) ########################################################### # Requires root password to get into single user mode (CAREFUL) # BOOT_AUTH=1 # Users (besides root) that can boot into single user mode # BOOT_USERS=bill,jane,joe # Password controls - Trusted Systems only ################### ALLOW_NULL_PASSWORD=0 MIN_PASSWORD_LENGTH=6 PASSWORD_HISTORY_DEPTH=1 PASSWORD_MIN_UPPER_CASE_CHARS=0 PASSWORD_MIN_LOWER_CASE_CHARS=0 PASSWORD_MIN_DIGIT_CHARS=1 PASSWORD_MIN_SPECIAL_CHARS=0 # Non-Trusted or shadow password setup only: # defaults: MAXDAYS=-1 MINDAYS=0 WARNDAYS=0 PASSWORD_MAXDAYS=120 PASSWORD_MINDAYS=7 PASSWORD_WARNDAYS=7 # Session controls ################## # Default umask value upon login. Note: This # attribute controls umask(2) of all sessions # initiated via pam_unix(5) and/or pam_hpsec(5). # Must have a leading zero to denote octal. UMASK=0022 # User logins ############# AUTH_MAXTRIES=9 # LOGIN_TIMES=Any # AUDIT_FLAG=1 # su controls ############# ## default values: ## SU_ROOT_GROUP=suroot ## SU_DEFAULT_PATH=/usr/bin:/usr/contrib/bin: ## SU_KEEP_ENV_VARS=LD_LIBRARY_PATH,SHLIB_PATH,LD_PRELOAD
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-01-2018 01:40 PM
тАО05-01-2018 01:40 PM
Re: Qualys scan complains on password history depth on HP-UX 11.31 , what am I missing ?
Thanks patrick for response , havn't conatcted Qualys yet ...... Qualys scan report shows that history depth was not set up
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-01-2018 01:41 PM
тАО05-01-2018 01:41 PM
Re: Qualys scan complains on password history depth on HP-UX 11.31 , what am I missing ?
Thanks Bill for your response. I will take a look, test and update you.