Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software
71727374757677787980
6 Standard Mode Security Extensions
This chapter describes the Standard Mode Security Extensions features of HP-UX 11i Security
Containment. This chapter addresses the following topics:
“Overview”
“Security Attributes and the User Database”
Auditing”
Overview
HP-UX Standard Mode Security Extensions (HP-UX SMSE) is a group of features that combine
to enhance both user and operating system security for HP-UX 11i v2. Starting with the HP-UX
11i version 2, September 2004 or later udpate, HP-UX SMSE includes enhancements or changes
to the HP-UX auditing system, passwords, and logins for systems in standard mode. Previously,
these features were supported only on systems converted to trusted mode. With HP-UX SMSE,
you can use these features on a standard mode system.
NOTE: HP does not recommend that you use HP-UX SMSE on systems running in trusted
mode.HP-UX SMSE makes available in standard mode many account and password policies
currently available only by converting an HP-UX system to trusted mode. Policies configured
with HP-UX SMSE are not enforced on systems running in trusted mode.
To determine whether a system has been converted to trusted mode, check for the following file:
/tcb/files/auth/system/default
If this file exists, the system is running in trusted mode. To convert the system back to standard
mode, use the sam(1M) command.
Refer to security(4) for more information on configurations supported with each of the HP-UX
SMSE security features.
The following new feature is included in HP-UX SMSE:
User Database Previously, all HP-UX security attributes and password policy restrictions
were set on a systemwide basis. The introduction of the user database enables you to set security
attributes on a per-user basis that overrides systemwide defaults.
The following trusted mode features are available in standard mode with HP-UX SMSE:
Audit all users and events on a system
Display the last successful and unsuccessful user logins
Lock a user account if there are too many authentication failures
Display password history
Expire inactive accounts
Prevent users from logging in with a null password
Restrict user logins to specific time periods
The following new features are included in HP-UX SMSE Version B.11.23.02:
When used in conjunction with HP-UX RBAC Version B.11.23.04, usage of the userdbset
command can be restricted based on a users authorizations. See userdbset(1M) for more
information.
The userstat command displays the account status of local users. It checks the status of
local user accounts and reports abnormal conditions, such as account locks. See userstat(1M)
for more information.
Overview 71