Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > S

security(4)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

NAME

security — security defaults configuration file

DESCRIPTION

A number of system commands and features are configured based on certain attributes defined in the /etc/default/security configuration file. This file must be world readable and root writable.

Each line in the file is treated either as a comment or as configuration information for a given system command or feature. Comments are denoted by a # at the beginning of a line. Noncomment lines are of the form, attribute=value.

If any attribute is not defined or is commented out in this file, the default behavior detailed below will apply. The default value of each attribute is defined in the /etc/security.dsc file.

Attribute definitions, valid values, and defaults are defined as follows:

ABORT_LOGIN_ON_MISSING_HOMEDIR

This attribute controls login behavior if a user's home directory does not exist. Note that this is only enforced for non-root users and only applies to the login command or those services that indirectly invoke login such as the telnetd and rlogind commands.

ABORT_LOGIN_ON_MISSING_HOMEDIR=0 Login with '/' as the home directory if the user's home directory does not exist.

ABORT_LOGIN_ON_MISSING_HOMEDIR=1 Exit the login session if the user's home directory does not exist.

Default value: ABORT_LOGIN_ON_MISSING_HOMEDIR=0

ALLOW_NULL_PASSWORD

This attribute determines whether or not users with a null password can login. It does not apply to trusted systems. This attribute is supported only for non-root users managed by pam_unix (described in pam_unix(5)); this typically includes local and NIS users. For local users, the system-wide default defined here in /etc/default/security may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)).

ALLOW_NULL_PASSWORD=0 Users with a null password cannot login.

ALLOW_NULL_PASSWORD=1 Users with a null password can login.

Default value: ALLOW_NULL_PASSWORD=1

AUDIT_FLAG

This attribute controls whether or not users are to be audited. It does not apply to trusted systems. This attribute is supported for users in all name server switch repositories, such as local, NIS and LDAP. This attribute is enforced in the pam_hpsec service module, and requires that the pam_hpsec module be configured in /etc/pam.conf. See pam_hpsec(5). The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)). For more information about HP-UX auditing, see audit(5).

AUDIT_FLAG=0 Do not audit.

AUDIT_FLAG=1 Audit.

Default value: AUDIT_FLAG=1

AUTH_MAXTRIES

This attribute controls whether an account is locked after too many consecutive authentication failures. It does not apply to trusted systems. This attribute is supported for users in all name server switch repositories, such as local, NIS and LDAP. This attribute is enforced in the pam_hpsec service module, and requires that the pam_hpsec module be configured in /etc/pam.conf. See pam_hpsec(5). Other PAM service modules in your configuration may enforce additional restrictions. The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)).

When an account has been locked due to too many authentication failures, root can unlock the account by this command:

userdbset -d -u username auth_failures

AUTH_MAXTRIES=0 Any number of authentication retries is allowed.

AUTH_MAXTRIES=N An account is locked after N+1 consecutive authentication failures. N can be any positive integer.

Default value: AUTH_MAXTRIES=0

BOOT_AUTH

This attribute controls whether authentication is required to boot the system into single user mode. If enabled, the system cannot be booted into single user mode until the password of an authorized user is provided.

This attribute does not apply to trusted systems. However, if boot authentication is enabled on a standard system, then when the system is converted to a trusted system, boot authentication will also be enabled as default for the trusted system.

BOOT_AUTH=0 Boot authentication is turned OFF.

BOOT_AUTH=1 Boot authentication is turned ON.

Default value: BOOT_AUTH=0

BOOT_USERS

This attribute defines the names of users who are authorized to boot the system into single user mode from the console. Names are separated by a comma (,). It only takes effect when boot authentication is enabled. Refer to the description of the BOOT_AUTH attribute.

The BOOT_USERS attribute does not apply to trusted systems. However, when a standard system is converted to a trusted system, this information is translated.

For example:

BOOT_USERS=mary,jack

Other than the root user, user mary or jack can also boot the system into single user mode from the console.

Default value: BOOT_USERS=root

DISPLAY_LAST_LOGIN

This attribute controls whether a successful login displays the date, time and origin of the last successful login and the last authentication failure. Times are displayed using the system's time zone. See the discussion of time zones in the Notes section. This attribute does not apply to trusted systems. This attribute is supported for users in all name server switch repositories, such as local, NIS and LDAP. This attribute is enforced in the pam_hpsec service module, and requires that the pam_hpsec module be configured in /etc/pam.conf. See pam_hpsec(5). The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)).

DISPLAY_LAST_LOGIN=0 Information is not displayed.

DISPLAY_LAST_LOGIN=1 Information is displayed.

Default value: DISPLAY_LAST_LOGIN=1

INACTIVITY_MAXDAYS

This attribute controls whether an account is locked if there have been no logins to the account for a specified time interval. It does not apply to trusted systems. This attribute is supported only for non-root users managed by pam_unix (described in pam_unix(5)); this typically includes local and NIS users. In most cases this attribute can be enforced only as a system-wide default, however, for local users on a shadow password system, the system-wide default defined here in /etc/default/security may be overridden by defining a per-user value in the inactivity field of /etc/shadow with either one of these commands:

useradd -f inactive_maxdays

usermod -f inactive_maxdays

When an account has been locked due to this feature, root can unlock the account by this command:

userdbset -d -u username login_time

INACTIVITY_MAXDAYS=0 Inactive accounts are not expired.

INACTIVITY_MAXDAYS=N Inactive accounts are expired if there have been no logins to the account for at least N days. N can be any positive integer.

Default value: INACTIVITY_MAXDAYS=0

LOGIN_TIMES

This attribute restricts logins to specific time periods. Login time restrictions are based on the system's time zone. See the discussion of time zones in the Notes section. This attribute does not apply to trusted systems. This attribute is supported for users in all name server switch repositories, such as local, NIS and LDAP. This attribute is enforced in the pam_hpsec service module, and requires that the pam_hpsec module be configured in /etc/pam.conf. See pam_hpsec(5). Other PAM service modules in your configuration may enforce additional restrictions. The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)).

LOGIN_TIMES=timeperiod An account is locked if the current time is not within the specified time period. The timeperiod consists of any number of day and time ranges separated by colons. A user is allowed to access the system when the login time is within any of the specified ranges. The days are specified by the following abbreviations:

Su Mo Tu We Th Fr Sa Wk Any

Where Wk is all week days and Any is any day of the week.

A time range can be included after the day specification. A time range is a 24-hour time period, specified as hours and minutes separated by a hyphen. Each time must be specified with 4 digits (HHMM-HHMM). Leading zeros are required. This time range indicates the start and end time for the specified days. The start time must be less than the end time. When no time range is specified, all times within the day(s) are valid.

If the current time is within the range of any of the time ranges specified for a user, the user is allowed to access the system.

Do not use 0000-0000 as a time range to prevent user access. For example, Any:Fr0000-0000 cannot be used to disallow access on Fridays. Instead, SuMoTuWeThSa should be used. See the EXAMPLES section.

Default value: LOGIN_TIMES=Any Can login any day of the week.

MIN_PASSWORD_LENGTH

This attribute controls the minimum length of new passwords. On trusted systems it applies to all users. On standard systems it applies to non-root local users and to NIS users. The system-wide default defined here may be overridden by defining per-user values in /var/adm/userdb (described in userdb(4)).

MIN_PASSWORD_LENGTH=N New passwords must contain at least N characters. For standard systems, N can be any value from 3 to 8. For trusted systems, N can be any value from 6 to 80.

Default value: MIN_PASSWORD_LENGTH=6

NOLOGIN

This attribute controls whether non-root login can be disabled by the /etc/nologin file. Note that this attribute only applies to the applications that use session management services provided by pam_hpsec as configured in /etc/pam.conf, or those services that indirectly invoke login such as the telnetd and rlogind commands. Other services may or may not choose to enforce the /etc/nologin file.

NOLOGIN=0 Ignore the /etc/nologin file and do not exit if the /etc/nologin file exists.

NOLOGIN=1 Display the contents of the /etc/nologin file and exit if the /etc/nologin file exists.

Default value: NOLOGIN=0

NUMBER_OF_LOGINS_ALLOWED

This attribute controls the number of simultaneous logins allowed per user. Note that this is only enforced for non-root users and only applies to the applications that use session management services provided by pam_hpsec as configured in /etc/pam.conf, or those services that indirectly invoke login, such as the telnetd and rlogind commands. The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)).

NUMBER_OF_LOGINS_ALLOWED=0 Any number of logins are allowed per user.

NUMBER_OF_LOGINS_ALLOWED=N N number of logins are allowed per user.

Default value: NUMBER_OF_LOGINS_ALLOWED=0

PASSWORD_HISTORY_DEPTH

This attribute controls the password history depth. A new password is checked against passwords stored in the user's password history. This prevents the user from re-using a recently used password. This attribute applies only to local users.

For a trusted system, the maximum password history depth is 10 and the minimum is 1.

For a standard system, the maximum password history depth is 24 and the minimum is 1. The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)).

PASSWORD_HISTORY_DEPTH=N A new password is checked against the N most recently used passwords, including the current password. For example, a password history depth of 2 prevents a user from alternating between two passwords.

Default value: PASSWORD_HISTORY_DEPTH=1 Cannot re-use the current password.

PASSWORD_MIN_type_CHARS

Attributes of this form are used to require new passwords to have a minimum number of characters of particular types (upper case, lower case, digits or special characters). This can be helpful in enforcing site security policies about selecting passwords that are not easy to guess. This attribute applies only to non-root local users. The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)).

PASSWORD_MIN_UPPER_CASE_CHARS=N Specifies that a minimum of N upper-case characters are required in a password when changed.

PASSWORD_MIN_LOWER_CASE_CHARS=N Specifies that a minimum of N lower-case characters are required in a password when changed.

PASSWORD_MIN_DIGIT_CHARS=N Specifies that a minimum of N digit characters are required in a password when changed.

PASSWORD_MIN_SPECIAL_CHARS=N Specifies that a minimum of N special characters are required in a password when changed.

Default value: The default for each of these attributes is zero.

PASSWORD_MAXDAYS

This attribute controls the default maximum number of days that passwords are valid. This value, if specified, is used by the authentication subsystem during the password change process in the case where aging restrictions do not already exist for the given user. The value takes effect after the password change. This attribute applies only to local users and does not apply to trusted systems. The passwd -x option can be used to override this value for a specific user.

PASSWORD_MAXDAYS=N A new password is valid for up to N days, after which the password must be changed. N can be an integer from -1 to 441.

Default value: PASSWORD_MAXDAYS=-1 password aging is turned off.

PASSWORD_MINDAYS

This attribute controls the default minimum number of days before a password can be changed. This value is used by the authentication subsystem during the password change process in the case where aging restrictions do not already exist for the user. The value is stored persistently and takes effect after the password change. This attribute applies only to local users and does not apply to trusted systems. The passwd -n option can be used to override this value for a specific user.

PASSWORD_MINDAYS=N A new password cannot be changed until at least N days since it was last changed. N can be an integer from 0 to 441.

Default value: PASSWORD_MINDAYS=0

PASSWORD_WARNDAYS

This attribute controls the default number of days before password expiration that a user is to be warned that the password must be changed. This value, if specified, is used by the authentication subsystem during the password change process in the case where aging restrictions do not already exist for the given user. The value takes effect after the password change. This attribute applies only to local users on shadow password systems. The passwd -w option can be used to override this value for a specific user.

PASSWORD_WARNDAYS=N Users are warned N days before their password expires. N can be an integer from 0 to 441.

Default value: PASSWORD_WARNDAYS=0 (no warning)

SU_DEFAULT_PATH

This attribute defines a new default PATH environment value to be set when su to a non-superuser account is done. Refer to su(1).

SU_DEFAULT_PATH=new_PATH

The PATH environment variable is set to new_PATH when the su command is invoked. The path value is not validated. This attribute does not apply to a superuser account, and is applicable only when the "-" option is not used with the su command.

Default value: If this attribute is not defined or if it is commented out, PATH is not changed.

SU_KEEP_ENV_VARS

This attribute forces su to propagate certain 'unsafe' environment variables to its child process despite the security risk of doing so. Refer to su(1).

By default, su does not export the environment variables HOME, ENV, IFS, SHLIB_PATH or LD_* because they could be maliciously misused. Any combination of these can be specified in this entry, with a comma separating the variables. Currently, no other environment variables may be specified in this way. This may change in future HP-UX releases as security needs require.

SU_KEEP_ENV_VARS=var1,var2 ,...,varN

Default value: If this attribute is not defined or if it is commented out, these environment variables will not be propagated by the su command.

SU_ROOT_GROUP

This attribute defines the root group name for the su command. Refer to su(1).

SU_ROOT_GROUP=group_name The root group name is set to the specified symbolic group name. The su command enforces the restriction that a non-superuser must be a member of the specified root group to be allowed to su to root. This does not alter password checking.

Default value: If this attribute is not defined or if it is commented out, there is no default value. In this case, a non superuser is allowed to su to root without being bound by root group restrictions.

UMASK

This attribute controls umask() of all sessions initiated via pam_hpsec. This attribute is supported for users in all name server switch repositories, such as local, NIS and LDAP. This attribute is enforced in the pam_hpsec service module, and requires that the pam_hpsec module be configured in /etc/pam.conf. See pam_hpsec(5). It accepts values from 0 to 0777 as an unsigned octal integer (must have a leading zero to denote octal). The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)).

UMASK=default_umask

The current umask is set or restricted further with the value of default_umask. For trusted systems, the umask is also restricted so as not to exceed SEC_DEFAULT_MODE defined in /usr/include/hpsecurity.h.

Default value: UMASK=0

Notes

Use the functions defined in secdef(3) to read the values of the attributes defined in this file.

The usage, possible values and default value of each of the attributes described in this manpage is defined in the /etc/security.dsc file.

The behavior of some attributes is affected by the time zone. For these attributes the time zone is determined by the first line of the form TZ=timezone in the file /etc/TIMEZONE. If the time zone is not specified in this file, it is obtained from the file /etc/default/tz, as described in tzset(3C).

EXAMPLES

The following are examples of LOGIN_TIMES usage.

SaSu:Wk1800-2400

The user can login to the system all day on weekends and after 6:00 pm on week days.

MoWeFr1000-1400:TuThSu0800-1700

The user can login to the system on Monday, Wednesday and Friday from 10:00 am to 2:00 pm and on Tuesday, Thursday, and Sunday from 8:00 am to 5:00 pm.

Any0400-1300

The user can login to the system every day from 4:00 am until 1:00 pm.

Any

No day or time restrictions. This is the default.

Mo1800-2400:Tu0000-0300

The user can login to the system any time between Monday after 6:00 pm until Tuesday at 3:00 am.

Mo0000-0300:Mo1800-2400

The user can only login to the system on Mondays between midnight and 3:00 am or after 6:00 pm on Mondays.

WARNINGS

HP-UX 11i Version 3 is the last release to support trusted systems functionality.

AUTHOR

The security file was developed by HP.

FILES

/etc/default/security

security defaults configuration file

/etc/security.dsc

security attributes description file

/var/adm/userdb

user database

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.