Manualshelf

HP-UX Bastille Version B.3.3 User Guide

ManualsBrandsHP ManualsSoftwareHP-UX 11i Bastille Software
31323334353637383940
C Question modules
AccountSecurity.ABORT_LOGIN_ON_MISSING_HOMEDIR
Headline Do not allow logins unless the home directory exists.
Default N
Description
The ABORT_LOGIN_ON_MISSING_HOMEDIR parameter controls login behavior
if a user's home directory does not exist.
Actions
Set ABORT_LOGIN_ON_MISSING_HOMEDIR=1 in /etc/security.
AccountSecurity.atuser
Headline
Restrict the use of at to administrative accounts.
Default N
Description
The at command allows users to submit jobs for the system to run at a
particular time. Administrators can use at to defer jobs to run when the system
is otherwise unused. However, executing jobs later or automatically represents
a privilege that can be abused and makes actions slightly harder to track. Many
sites choose to restrict the at command to administrative accounts. HP suggests
restricting permission to new administrators until they understand how it can
be abused and which users need access. Create the /etc/at.allow file of
users with permission. This file can be edited later. If this file is not created,
all users have permission to use the at command.
Actions
Delete the file at.deny
Create or replace the file at.allow with a single entry for user root
Set permissions to 0400
Change ownership to root:sys
AccountSecurity.AUTH_MAXTRIES
Headline Lock account after too many consecutive authentication failures.
Default N
Description
The AUTH_MAXTRIES parameter controls whether an account is locked after
too many consecutive authentication failures. It does not apply to trusted
systems. This parameter is supported for users in all name server switch
repositories, such as local, NIS, and LDAP.
Actions
Set AUTH_MAXTRIES=1 in /etc/security.
AccountSecurity.block_system_accounts
Headline Disable login access to the system accounts.
Default N
Description System accounts are provisioned on a new system, for example bin, sys, uucp,
et-cetera. These accounts (except for root) exist to own files, processes, or
system resources but are not generally logged into. Because these accounts
have broad access to the system, HP recommends disabling them. This item
disables default system accounts.
Actions
Lock the account and change the user shell to /bin/false for the following
users: www sys smbnull iwww owww sshd hpsmh named uucp nuucp adm
daemon bin lp nobody noaccess hpdb useradm.
AccountSecurity.create_securetty
Headline Disallow root logins from network TTYs.
33