Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

961

962

963

964

965

966

967

968

969

970

Conﬁguring HP-UX Bastille: Interview

Bastille Conﬁguration Questions and Explanations for HP-UX

Appendix B970

without typing the password. However, if an attacker has physical

access to the machine and enough time, there is very little you can

do to prevent unauthorized access. This may be more problematic in the

case when an authorized administrator messes up the machine and can't

remember the password.

Note: For HP-UX 11.22 and prior, this requires conversion to trusted mode.

Bastille will automatically do the conversion if you select this option.

Trusted mode is incompatible with LDAP and can cause other incompatibility

issues with applications which do their own authentication.

Account Security Q: Do you want basic system security auditing enabled? [Y]

By enabling basic system security auditing a subset of system calls

will be logged. The logging of these events produces system overhead so if

this system is in a very performance sensitive role, the risk of not logging

may be less than the risk of incurring a small amount of overhead.

System events, which are defined in audevent(1M) man page, to be audited will

include the admin, login, and moddac events.

All of these events generate data about security sensitive system actions but

should be rare enough that they do not generate too much overhead.

NOTE: Depending on your environment, auditing may be more or less important.

For completeness you should review the audevent(1M) man page to determine if

you system requires more or less auditing.

This feature requires converting to trusted mode, so should not be selected

if you wish to use LDAP or NIS. If you prefer trusted mode rather than

shadow passwords, selecting this option will force that conversion with

all currently supported versions of HP-UX.

Account Security Q: Do not allow logins unless the home directory exists? [Y]

The ABORT_LOGIN_ON_MISSING_HOMEDIR parameter controls login

behavior if a user's home directory does not exist.

By default, login will use '/' as the home directory if the user's home

directory does not exist.

If you do set this parameter, the login session will exit if the user's

home directory does not exist.

NOTE: This is applicable only for non-root users and only for services

which use the "login" binary for authentication.

Account Security Q: Do you want to setup password policies? [Y]

Weak passwords can be easily compromised using a dictionary

attack. On the other hand, if the password policies seem too restrictive to your use

rs,