Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
71727374757677787980
Security Attributes and the User Database
Previously, in standard mode, all HP-UX security attributes and password policy restrictions
were set on a systemwide basis. The introduction of the user database enables you to set security
attributes on a per-user basis, which override systemwide defaults.
System Security Attributes
A security attribute defines how to control security configurations, such as passwords, logins,
and auditing. The security attributes description file, /etc/security.dsc, lists the attributes
that can be defined either in /etc/default/security, in the user database in
/var/adm/userdb, or in both files. Some attributes are configurable and some are internal.
CAUTION: Do not modify the /etc/security.dsc file in any way.
When a user logs in, the system checks for applicable security attributes in the following order:
1. The system examines per-user attributes in the following locations:
/var/adm/userdb
/etc/passwd
/etc/shadow
NOTE: For each per-use attribute, a value is stored in one of the three files above.
Refer to security(4) to see which attributes are stored in each file.
2. If there is no per-user value, then the system examines the configured systemwide attributes
in /etc/default/security.
3. If there are no configured systemwide attributes, then the system uses the default attributes
in /etc/security.dsc.
Configuring Systemwide Attributes
To configure systemwide attributes, follow these steps:
1. Plan your configuration using available resources. Refer to security(4) for information about
configuring systemwide attributes.
2. To change a systemwide default, edit the /etc/default/security file with a text editor
such as vi. Comments begin with a pound sign (#). Attributes are written in
attribute=value format.
For example, to set the systemwide minimum number of uppercase characters in a password
to two (2), enter the following values into /etc/default/security:
PASSWORD_MIN_UPPER_CASE_CHARS=2
NOTE: Changes to systemwide security attributes do not take effect immediately. Password
attributes take effect the next time users change their passwords. Login attributes take effect the
next time users log in.
User Database Components
The user database feature of HP-UX SMSE includes files, commands, manpages, and per-user
attributes you can apply to specific users on your HP-UX system. All these elements of the user
database are described in the following sections.
Configuration Files
Table 6-1 “User Database Configuration Files” briefly describes the files you use with the user
database.
72 Standard Mode Security Extensions