5.11.2Protected databases

The following databases are consulted by the identification and authentication subsystem during user session initiation:

/etc/passwd: For all system users, it stores the login name, user ID, primary group ID, real name, home directory, and shell. Each user’s entry occupies one line, and fields are separated by a colon (:). The file is owned by the root user and root group, and its mode is 644.

/etc/security/opasswd: For all system users, it stores X number of most recent passwords in order to force password change history and keep the users from alternating between the same password too frequently. (remember = X; this is one of the options supported by pam_unix.so.) The file is owned by the root user and root group, and its mode is 644.

/etc/group: For system groups, stores group names, group IDs, supplemental group IDs, and group memberships. Each group’s entry occupies one line and fields are separated by a colon (:). The file is owned by the root user and root group, and its mode is 644.

/etc/shadow: For all system users, it stores the user name, hashed password, last password change time (in days since epoch), minimum number of days that must pass before password can be changed again, maximum number of days after which the password must be changed, number of days before the password expires when the user is warned, number of days after the password expires that the account is locked, and total lifetime of the account. The MD5 hashing algorithm is used to build the password checksum. The file is owned by the root user and shadow group, and its mode is 400.

/etc/gshadow: This is the group counterpart of the shadow file. For all system groups, it stores group names, group hashed passwords, and membership information. The MD5 hashing algorithm is used to build the password checksum. The file is owned by the root user and shadow group, and its mode is 400. Group passwords are not used in the TOE.

/var/log/lastlog: The time and date of the last successful login for each user is stored here. The file is owned by the root user and tty group, and its mode is 644.

/var/log/faillog: faillog maintains the count of login failures and the limits for each user account. The file is fixed length record, indexed by numerical UID. Each record contains the count of login failures since the last successful login, the maximum number of failures before the account is disabled, the line the last login failure occurred on, and the date the last login failure occurred. The file is owned by the root user and root group, and its mode is 644.

/etc/login.defs: This data base defines various configuration options for the login process, such as minimum and maximum user ID for automatic selection by the command useradd, minimum and maximum group ID for automatic selection by the command groupadd, password aging controls, default location for mail, and whether to create a home directory when creating a new user. The file is owned by the root user and root group, and its mode is 644.

/etc/securetty: Lists ttys from which the root user can log in. Device names are listed one per line, without the leading /dev/. The file is owned by the root user and root group, and its mode is 644.

/var/run/utmp: The utmp file stores information about who is currently using the system. The utmp file contains a sequence of entries with the name of the special file associated with the user's terminal, the user's login name, and the time of login in the form of time. The file is owned by the root user and tty group, and its mode is 664.

/var/log/wtmp: The wtmp file records all logins and logouts. Its format is exactly like utmp except that a null user name indicates a logout on the associated terminal. Furthermore, the terminal name tilde (~) with a user name of "shutdown" or "reboot" indicates a system shutdown or reboot, and the pair of terminal names ""/"}" logs the old new system time when the command date changes it. The file is owned by the root user and tty group, and its mode is 664.

175

Page 187
Image 187
IBM 10 SP1 EAL4 manual Protected databases