Description

HP-UX stores the encrypted password string for each user in the /etc/passwd

 

file. These encrypted strings are viewable by anyone with access to the /etc/

 

file system, typically all users. Using the encrypted string, an attacker can find

 

valid passwords for your system.

Actions

Convert system to trusted mode or use shadowed passwords (dependent on

 

OS version).

AccountSecurity.lock_account_nopasswd

Headline

Lock the local accounts with no password.

Default

Y

Description

Accounts with no passwords allow any user to execute arbitrary actions on

 

your server and invite attack. Passwordless accounts should always be against

 

policy. This item disables accounts with no password.

Actions

Lock all local accounts that do not have a password with the passwd -l

 

command.

AccountSecurity.mesgn

Headline

Set mesg n for all users.

Default

N

Description

The mesg n command forbids messages through write by revoking write

 

permission to users without appropriate privilege on the user's terminal. For

 

a description of mesg, see write(1). Disabling this feature prevents untrusted

 

users from contacting users to solicit credentials or other sensitive data.

Actions

Append the line "mesg n" to the files profile, csh.login, d.profile, and d.login

 

in /etc.

AccountSecurity.MIN_PASSWORD_LENGTH

Headline

Set the minimum length of new passwords.

Default

8

Description

The MIN_PASSWORD_LENGTH parameter controls the minimum length of new

 

passwords. This policy is not enforced for the root user on an untrusted system.

Actions

In the /etc/default/security file, set the parameter

 

MIN_PASSWORD_LENGTH.

AccountSecurity.NOLOGIN

Headline

Non-root users are not allowed to log in if /etc/nologin exists.

Default

N

Description

The NOLOGIN parameter controls non-root login with the /etc/nologin

 

file.

Actions

Sets the parameter NOLOGIN=1 in the /etc/default/security file.

AccountSecurity.NUMBER_OF_LOGINS_ALLOWED

Headline

Enter the maximum number of logins per user.

Default

1

Description

The NUMBER_OF_LOGINS_ALLOWED parameter controls the number of

 

simultaneous sessions allowed per user. This is applicable only for non-root

 

users. This limits user accounts sharing and alerts users to a compromised

 

account.

Actions

Sets the parameter NUMBER_OF_LOGINS_ALLOWED in the /etc/default/

 

security file.

35

Page 35
Image 35
HP UX Bastille Software AccountSecurity.lockaccountnopasswd, AccountSecurity.mesgn, AccountSecurity.MINPASSWORDLENGTH