security.4 (2012 03)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

security(4) security(4)

NAME

security - security defaults conﬁguration ﬁle

DESCRIPTION

A number of system commands and features are conﬁgured based on certain attributes deﬁned in the

/etc/default/security

conﬁguration ﬁle. This ﬁle must be world readable and root writable.

Each line in the ﬁle is treated either as a comment or as conﬁguration information for a given system

command or feature. Comments are denoted by a

# at the beginning of a line. Noncomment lines are of

the form,

attribute=value

If any attribute is not deﬁned or is commented out in this ﬁle, the default behavior detailed below will

apply. The default value of each attribute is deﬁned in the

/etc/security.dsc

ﬁle.

Attribute deﬁnitions, valid values, and defaults are deﬁned as follows:

ABORT_LOGIN_ON_MISSING_HOMEDIR

This attribute controls login behavior if a user’s home directory does not exist. Note

that this is only enforced for non-root users and only applies to the

mand or those services that indirectly invoke

rlogind commands.

ABORT_LOGIN_ON_MISSING_HOMEDIR=0

tory if the user’s home directory does not exist.

ABORT_LOGIN_ON_MISSING_HOMEDIR=1

Exit the login session if the user’s

home directory does not exist.

Default value:

ABORT_LOGIN_ON_MISSING_HOMEDIR=0

ALLOW_NULL_PASSWORD

This attribute determines whether or not users with a null password can login. It

does not apply to trusted systems. This attribute is supported only for non-root

users managed by pam_unix (described in pam_unix (5)); this typically includes

local and NIS users. On a system in standard or shadow mode, it also applies to

root if LOGIN_POLICY_STRICT=1

. For local users, the system-wide default

deﬁned here in

/etc/default/security

may be overridden by deﬁning a per-

user value in

/var/adm/userdb

(described in userdb (4)).

ALLOW_NULL_PASSWORD=0

Users with a null password cannot login.

ALLOW_NULL_PASSWORD=1

Users with a null password can login.

Default value:

ALLOW_NULL_PASSWORD=1

AUDIT_FLAG This attribute controls whether or not users are to be audited. It does not apply to

trusted systems. This attribute is supported for users in all name server switch

repositories, such as local, NIS and LDAP. This attribute is enforced in the

pam_hpsec service module, and requires that the pam_hpsec module be

conﬁgured in /etc/pam.conf. See pam_hpsec (5). The system-wide default

deﬁned here may be overridden by deﬁning a per-user value in

/var/adm/userdb (described in userdb (4)). For more information about HP-UX

auditing, see audit (5).

AUDIT_FLAG=0 Do not audit.

AUDIT_FLAG=1 Audit.

Default value:

AUDIT_FLAG=1

AUTH_MAXTRIES

This attribute controls whether an account is locked after too many consecutive

authentication failures. It does not apply to trusted systems. This attribute is sup-

ported for users in all name server switch repositories, such as local, NIS and

LDAP. This attribute is enforced in the pam_hpsec service module, and requires

that the pam_hpsec module be conﬁgured in /etc/pam.conf. See

pam_hpsec (5). Other PAM service modules in your conﬁguration may enforce addi-

tional restrictions. The system-wide default deﬁned here may be overridden by

deﬁning a per-user value in /var/adm/userdb (described in userdb(4)).

HP-UX 11i Version 3: March 2012 − 1 − Hewlett-Packard Company 1

Summary of content (8 pages)

PAGE 1
security(4) security(4) NAME security - security defaults configuration file DESCRIPTION A number of system commands and features are configured based on certain attributes defined in the /etc/default/security configuration file. This file must be world readable and root writable. Each line in the file is treated either as a comment or as configuration information for a given system command or feature. Comments are denoted by a # at the beginning of a line.
PAGE 2
security(4) security(4) When an account has been locked due to too many authentication failures, root can unlock the account by this command: userdbset -d -u username auth_failures AUTH_MAXTRIES=0 Any number of authentication retries is allowed. AUTH_MAXTRIES=N An account is locked after N+1 consecutive authentication failures. N can be any positive integer. Default value: AUTH_MAXTRIES=0 BOOT_AUTH This attribute controls whether authentication is required to boot the system into single user mode.
PAGE 3
security(4) security(4) DISPLAY_LAST_LOGIN This attribute controls whether a successful login displays the date, time and origin of the last successful login and the last authentication failure. Times are displayed using the system’s time zone. See the discussion of time zones in the Notes section. This attribute does not apply to trusted systems. This attribute is supported for users in all name server switch repositories, such as local, NIS and LDAP.
PAGE 4
security(4) security(4) /var/adm/userdb (described in userdb (4)). LOGIN_TIMES=timeperiod An account is locked if the current time is not within the specified time period. The timeperiod consists of any number of day and time ranges separated by colons. A user is allowed to access the system when the login time is within any of the specified ranges. The days are specified by the following abbreviations: Su Mo Tu We Th Fr Sa Wk Any Where Wk is all week days and Any is any day of the week.
PAGE 5
security(4) security(4) OVERRIDE_SYSDEF_PWAGE This attribute applies to shadow mode only. During a password change it determines if password aging attributes max days, min days and warn days (described in shadow(4)) are inherited from the /etc/default/security values when no password aging is specified in the shadow file. This attribute is applicable to local users.
PAGE 6
security(4) security(4) PASSWORD_MIN_UPPER_CASE_CHARS=N Specifies that a minimum of N upper-case characters are required in a password when changed. PASSWORD_MIN_LOWER_CASE_CHARS=N Specifies that a minimum of N lower-case characters are required in a password when changed. PASSWORD_MIN_DIGIT_CHARS=N Specifies that a minimum of N digit characters are required in a password when changed. PASSWORD_MIN_SPECIAL_CHARS=N Specifies that a minimum of N special characters are required in a password when changed.
PAGE 7
security(4) security(4) The PASSWORD_POLICY_STRICT attribute is only valid if the libpam_unix patch PHCO_40838 or later is installed. Default value: PASSWORD_POLICY_STRICT=0 PASSWORD_WARNDAYS This attribute controls the default number of days before password expiration that a user is to be warned that the password must be changed.
PAGE 8
security(4) security(4) The current umask is set or restricted further with the value of default_umask. For trusted systems, the umask is also restricted so as not to exceed SEC_DEFAULT_MODE defined in /usr/include/hpsecurity.h. Default value: UMASK=0 Notes Use the functions defined in secdef (3) to read the values of the attributes defined in this file. The usage, possible values and default value of each of the attributes described in this manpage is defined in the /etc/security.dsc file.