Manualshelf

Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU
961962963964965966967968969970
Configuring HP-UX Bastille: Interview
Bastille Configuration Questions and Explanations for HP-UX
Appendix B968
The ownerships and permissions of the files and subdirectories in that
directory determine how those files and subdirectories can be modified,
respectively. You can tell that the "sticky" bit is set if there is a
"t" in the last permissions column. (e.g.: drwxrwxrwt). Left unedited,
the created script will set the "sticky" bit on any world-writeable
directory.
(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)
Account Security Q: Do you want to set the default umask? [Y] [Y]
The umask sets the default permission for files that you create.
Bastille can set one of several umasks in the default
login configuration files. These cover standard shells like csh and most
bourne shell variants like bash, sh, and ksh. If you
are going to install other shells, you may have to configure them
yourself. The only reason not to set at least a minimal default umask
is if you are sure that you have already set one.
Account Security Q: What umask would you like to set for users on the system? [077]
[077]
The umask sets a default permission for files that you create.
Bastille can set one of several umasks. Please select one of the following
or create your own:
002 - Everyone can read your files & people in your group can alter them.
022 - Everyone can read your files, but no one can write to them.
027 - Only people in your group can read your files, no one can write to them.
077 - No one on the system can read or write your files.
In addition to configuring a umask for all of the user shells, HP-UX 11.22
and later has an option in the /etc/default/security file to set the default
system umask. This parameter controls umask(2) of all sessions initiated via
pam_unix(5) (which can then be overridden by the shell).
NOTE: If your system is converted to trusted mode, this parameter
will be overridden by the trusted system default umask, which is 077.
Account Security Q: Would you like to hide the encrypted passwords on this system? [Y]
Traditionally HP-UX has stored the encrypted password string
for each user inside of the /etc/passwd file. This has the disadvantage
of allowing these encrypted strings to be viewable by anyone with access
to the /etc/ file system (normally, all users). Given the encrypted
string an attacker can attempt to determine valid passwords for users
on your system by using dictionary or brute force password cracking programs.