HP UX Bastille Software manual AccountSecurity.lockaccountnopasswd, AccountSecurity.mesgn

Page 35

Description	HP-UX stores the encrypted password string for each user in the /etc/passwd
	file. These encrypted strings are viewable by anyone with access to the /etc/
	file system, typically all users. Using the encrypted string, an attacker can find
	valid passwords for your system.
Actions	Convert system to trusted mode or use shadowed passwords (dependent on
	OS version).

AccountSecurity.lock_account_nopasswd

Headline	Lock the local accounts with no password.
Default	Y
Description	Accounts with no passwords allow any user to execute arbitrary actions on
	your server and invite attack. Passwordless accounts should always be against
	policy. This item disables accounts with no password.
Actions	Lock all local accounts that do not have a password with the passwd -l
	command.

AccountSecurity.mesgn

Headline	Set mesg n for all users.
Default	N
Description	The mesg n command forbids messages through write by revoking write
	permission to users without appropriate privilege on the user's terminal. For
	a description of mesg, see write(1). Disabling this feature prevents untrusted
	users from contacting users to solicit credentials or other sensitive data.
Actions	Append the line "mesg n" to the files profile, csh.login, d.profile, and d.login
	in /etc.

AccountSecurity.MIN_PASSWORD_LENGTH

Headline	Set the minimum length of new passwords.
Default	8
Description	The MIN_PASSWORD_LENGTH parameter controls the minimum length of new
	passwords. This policy is not enforced for the root user on an untrusted system.
Actions	In the /etc/default/security file, set the parameter
	MIN_PASSWORD_LENGTH.

AccountSecurity.NOLOGIN

Headline	Non-root users are not allowed to log in if /etc/nologin exists.
Default	N
Description	The NOLOGIN parameter controls non-root login with the /etc/nologin
	file.
Actions	Sets the parameter NOLOGIN=1 in the /etc/default/security file.

AccountSecurity.NUMBER_OF_LOGINS_ALLOWED

Headline	Enter the maximum number of logins per user.
Default	1
Description	The NUMBER_OF_LOGINS_ALLOWED parameter controls the number of
	simultaneous sessions allowed per user. This is applicable only for non-root
	users. This limits user accounts sharing and alerts users to a compromised
	account.
Actions	Sets the parameter NUMBER_OF_LOGINS_ALLOWED in the /etc/default/
	security file.

35

Image 35

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsSupport CompatibilityPerformance Installation Installing HP-UX BastilleInstallation requirements Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemIs not always detected. HP-UX Bastille might not detect all Using scored reportsAccepted standard configurations are detected Configuration for the corresponding question is notScored assessment report # bastille -r RevertingFor more information, see bastilledrift1M Monitoring driftLocating files Var/opt/secmgmt/bastille/log/Assessment/Drift.txt If the file exists, complete the actions listed Removing HP-UX BastilleCheck for a TOREVERT.txt file Page General use tips TroubleshootingDiagnostic tips Known issues and workaroundsCannot use X because $DISPLAY is not set Problems opening, copying, or reading filesErrors related to individual configuration files HP-UX Bastille configures a firewall using IPFilterRelated information Support and other resourcesContacting HP Typographic conventions Supplement important points of the main text Or damage to hardware or softwareTo complete a task Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring Sec10Host level Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec20MngDMZ or Sec30DMZ security levels Page Question modules AccountSecurity.cronuser AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.crontabsfileAccountSecurity.lockaccountnopasswd AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.NUMBEROFLOGINSALLOWEDAccountSecurity.PASSWORDMAXDAYS AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDHISTORYDEPTHynAccountSecurity.restricthome AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.singleuserpasswordAccountSecurity.umask AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.systemauditingAccountSecurity.userrcfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userdotfilesDNS.chrootbind Apache.chrootapacheApache.deactivatehpwsapache FTP.ftpusers FilePermissions.worldwriteableHPUX.ndd HPUX.mailconfigHPUX.guibanner HPUX.othertools HPUX.stackexecute HPUX.screensavertimeoutHPUX.restrictswacls HPUX.scanportsIPFilter.blockDNSquery HPUX.tcpisnIPFilter.blockcfservd Hids does not IPFilter.blockhpidsadminIPFilter.blockhpidsagent You are managing some remote Hids agents, answer noIPFilter.blockSecureShell Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockpingOtherwise, answer no to this question IPFilter.blockwebadminIPFilter.configureipfilter IPFilter.blockwbemPage MiscellaneousDaemons.diagnosticslocalonly IPFilter.installipfilterMiscellaneousDaemons.configuressh MiscellaneousDaemons.disablerbootd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablepwgrdMiscellaneousDaemons.nobodysecurerpc MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nfscoreMiscellaneousDaemons.sysloglocalonly MiscellaneousDaemons.xaccessOtherbootserv Patches.spcrun Patches.spccronrunPatches.spccrontime Patches.spcproxyynSecureInetd.banners SecureInetd.deactivatebootpPrinting.printing SecureInetd.deactivateftp SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivatefingerSecureInetd.deactivateprinter SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivatentalkSecureInetd.deactivateswat SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivatertoolsSecureInetd.ftplogging SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.deactivateuucpSendmail.sendmailcron SecureInetd.loginetdSecureInetd.inetdgeneral SecureInetd.ownerSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index