HP UX Bastille Software AccountSecurity.NUMBEROFLOGINSALLOWEDyn, AccountSecurity.PASSWORDMAXDAYS

Page 36

AccountSecurity.NUMBER_OF_LOGINS_ALLOWEDyn

Headline	Set a maximum number of logins per user.
Default	N
Description	Sets the NUMBER_OF_LOGINS_ALLOWEDyn parameter.
Actions	None.

AccountSecurity.PASSWORD_HISTORY_DEPTH

Headline	Set the password history depth.
Default	3
Description	The PASSWORD_HISTORY_DEPTH parameter controls the password history
	depth. A new password is checked against the number of most recently used
	passwords stored in password history for a particular user. Users are not
	allowed to reuse a stored, previously used password.
Actions	Sets the parameter PASSWORD_HISTORY_DEPTH in the /etc/default/
	security file.

AccountSecurity.PASSWORD_HISTORY_DEPTHyn

Headline	Set a password history depth.
Default	N
Description	Sets the PASSWORD_HISTORY_DEPTHyn parameter.
Actions	None.

AccountSecurity.PASSWORD_MAXDAYS

Headline	Set the maximum number of days between password changes.
Default	182
Description	This parameter controls the default maximum number of days that passwords
	are valid. For systems running HP-UX 11.11and HP-UX 11.0, setting this value
	requires conversion to trusted mode. For HP-UX 11.22 and later, shadowed
	password conversion is required. This parameter applies only to local non-root
	users.
Actions	Sets the parameter PASSWORD_MAXDAYS in the /etc/default/security
	file.

AccountSecurity.PASSWORD_MINDAYS

Headline	Set the minimum number of days between password changes.
Default	7
Description	This parameter controls the default minimum number of days until a password
	can be changed. For systems running HP-UX 11.11 and HP-UX 11.0, setting
	this value requires conversion to trusted mode. For HP-UX 11.22 and later,
	shadowed password conversion is required. This parameter applies only to
	local non-root users. When used with password aging, prevents users from
	immediately resetting expired passwords.
Actions	Sets the parameter PASSWORD_MINDAYS in the /etc/default/security
	file.

AccountSecurity.PASSWORD_WARNDAYS

Headline	Set the number of days a user will be warned that their password will expire.
Default	28

36 Question modules

Image 36

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productCompatibility PerformanceSupport Installing HP-UX Bastille Installation requirementsInstallation Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemUsing scored reports Accepted standard configurations are detectedConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rMonitoring drift Locating filesFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Removing HP-UX Bastille Check for a TOREVERT.txt fileIf the file exists, complete the actions listed Page Troubleshooting Diagnostic tipsKnown issues and workarounds General use tipsProblems opening, copying, or reading files Errors related to individual configuration filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setSupport and other resources Contacting HPRelated information Typographic conventions Or damage to hardware or software To complete a taskSupplement important points of the main text Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependenciesConfiguring HP-UX Bastille for use with Serviceguard Configuring Sec20MngDMZ or Sec30DMZ security levelsConfiguring Sec10Host level Page Question modules AccountSecurity.guilogin AccountSecurity.hidepasswordsAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.MINPASSWORDLENGTH AccountSecurity.NOLOGINAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.NUMBEROFLOGINSALLOWEDyn AccountSecurity.PASSWORDHISTORYDEPTHAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.passwordpolicies AccountSecurity.serialportloginAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATH AccountSecurity.SUDEFAULTPATHynAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.umaskyn AccountSecurity.unownedfilesAccountSecurity.userdotfiles AccountSecurity.userrcfilesApache.chrootapache Apache.deactivatehpwsapacheDNS.chrootbind FilePermissions.worldwriteable FTP.ftpusersHPUX.mailconfig HPUX.guibannerHPUX.ndd HPUX.othertools HPUX.screensavertimeout HPUX.restrictswaclsHPUX.scanports HPUX.stackexecuteHPUX.tcpisn IPFilter.blockcfservdIPFilter.blockDNSquery IPFilter.blockhpidsadmin IPFilter.blockhpidsagentYou are managing some remote Hids agents, answer no Hids does notDefault 192.168.1.0/255.255.255.0 Description IPFilter.blocknetrangeIPFilter.blockping IPFilter.blockSecureShellIPFilter.blockwebadmin IPFilter.configureipfilterIPFilter.blockwbem Otherwise, answer no to this questionPage IPFilter.installipfilter MiscellaneousDaemons.configuresshMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablebind MiscellaneousDaemons.disableptydaemonMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbclient MiscellaneousDaemons.disablesmbserverMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.xaccess OtherbootservMiscellaneousDaemons.sysloglocalonly Patches.spccronrun Patches.spccrontimePatches.spcproxyyn Patches.spcrunSecureInetd.deactivatebootp Printing.printingSecureInetd.banners SecureInetd.deactivatebuiltin SecureInetd.deactivatedttoolsSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivateident SecureInetd.deactivatektoolsSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterecserv SecureInetd.deactivaterquotadSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetftp SecureInetd.deactivatetimeSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.loginetd SecureInetd.inetdgeneralSecureInetd.owner Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standardCIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index