configuring a umask for all of the user shells, HP-UX 11.22 and later have an option in the /etc/default/security file to set the default system umask. This parameter controls umask(2) of all sessions initiated with pam_unix(5) which can then be overridden by the shell. NOTE: If your system is converted to trusted mode, this parameter will be overridden by the trusted system default umask, which is 077.

Actions Set the selected umask in all known shell startup scripts.

AccountSecurity.umaskyn

Headline

Set the default umask.

Default

N

Description

Set the default umask.

Actions

None.

AccountSecurity.unowned_files

Headline

Assign unowned files to the bin user.

Default

N

Description

Do not leave files owned by users or groups that do not have meaning to the

 

system. If a user or group is later defined with the uid or gid that owns that

 

file, the data could be exposed to potentially unauthorized access. This can

 

happen when a user is deleted without cleaning up the file system. This item

 

will look for files that are not owned by a defined system user or group and

 

assign those files to bin.

Actions

Find all local files that are not owned by a defined system user and/or group.

 

Assign those files to bin. Remove world-writable, suid and sgid bits from

 

these files.

AccountSecurity.user_dot_files

Headline

Remove world-write permission from local user account dot files.

Default

Y

Description

Dot files, or those that begin with a "." are hidden from standard file lists and

 

are often used for configuration. The combination of being less visible and

 

being used to change the behavior of the user account means that if an incorrect

 

permission is set (perhaps with a loose umask), the account could be subject

 

to attack. This item reviews the local user account store, finds the local home

 

directories, and removes the world-writeable bit, if any. This is a simple, and

 

relatively safe operation.

Actions

Find all local non-root login home directories and ensure that any "dot" files

 

within those directories do not have world-writable permissions.

AccountSecurity.user_rc_files

Headline

Delete .shosts, .rhosts, and .netrc from the local user accounts

Default

Y

Description

.shosts, .rhosts, and .netrc are files that sit in the home directories of users and

 

are used to create trust relationships between given users on a system and

 

other systems. Such non-interactive trust is dangerous as it creates the potential

 

for an attacker to leverage those trust relationships if they manage to expose

 

an account. If there is no business need for static trust, delete these files.

Actions

Find all local non-root login home directories, and delete the files .shosts,

 

.rhosts, and .netrc if found within those directories.

39

Page 38 Page 40
Page 39
Image 39
HP UX Bastille Software manual AccountSecurity.umaskyn, AccountSecurity.unownedfiles, AccountSecurity.userdotfiles
Page 38 Page 40
Top Page Image Contents