Security Attributes and the User Database

Previously, in standard mode, all HP-UX security attributes and password policy restrictions were set on a systemwide basis. The introduction of the user database enables you to set security attributes on a per-user basis, which override systemwide defaults.

System Security Attributes

A security attribute defines how to control security configurations, such as passwords, logins, and auditing. The security attributes description file, /etc/security.dsc, lists the attributes that can be defined either in /etc/default/security, in the user database in /var/adm/userdb, or in both files. Some attributes are configurable and some are internal.

CAUTION: Do not modify the /etc/security.dsc file in any way.

When a user logs in, the system checks for applicable security attributes in the following order:

1.The system examines per-user attributes in the following locations:

/var/adm/userdb

/etc/passwd

/etc/shadow

NOTE: For each per-use attribute, a value is stored in one of the three files above. Refer to security(4) to see which attributes are stored in each file.

2.If there is no per-user value, then the system examines the configured systemwide attributes in /etc/default/security.

3.If there are no configured systemwide attributes, then the system uses the default attributes in /etc/security.dsc.

Configuring Systemwide Attributes

To configure systemwide attributes, follow these steps:

1.Plan your configuration using available resources. Refer to security(4) for information about configuring systemwide attributes.

2.To change a systemwide default, edit the /etc/default/security file with a text editor such as vi. Comments begin with a pound sign (#). Attributes are written in attribute=value format.

For example, to set the systemwide minimum number of uppercase characters in a password to two (2), enter the following values into /etc/default/security:

PASSWORD_MIN_UPPER_CASE_CHARS=2

NOTE: Changes to systemwide security attributes do not take effect immediately. Password attributes take effect the next time users change their passwords. Login attributes take effect the next time users log in.

User Database Components

The user database feature of HP-UX SMSE includes files, commands, manpages, and per-user attributes you can apply to specific users on your HP-UX system. All these elements of the user database are described in the following sections.

Configuration Files

Table 6-1 “User Database Configuration Files” briefly describes the files you use with the user database.

72 Standard Mode Security Extensions

Page 72
Image 72
HP UX 11i Role-based Access Control (RBAC) Software Security Attributes and the User Database, System Security Attributes