HP-UX Reference (11i v2 07/12) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

341

342

343

344

345

346

347

348

349

350

security(4) security(4)

NAME

security - security defaults conﬁguration ﬁle

DESCRIPTION

A number of system commands and features are conﬁgured based on certain attributes deﬁned in the

/etc/default/security

conﬁguration ﬁle. This ﬁle must be world readable and root writable.

Each line in the ﬁle is treated either as a comment or as conﬁguration information for a given system com-

mand or feature. Comments are denoted by a

# at the beginning of a line. Noncomment lines are of the

form,

attribute=value

If any attribute is not deﬁned or is commented out in this ﬁle, the default behavior detailed below will

apply. If the TrustedMigration product is installed, the default value of each attribute is deﬁned in the

/etc/security.dsc

ﬁle.

Attribute deﬁnitions, valid values, and defaults are deﬁned as follows:

ABORT_LOGIN_ON_MISSING_HOMEDIR

This attribute controls login behavior if a user’s home directory does not exist. Note that

this is only enforced for non-root users and only applies to the login command or those

services that indirectly invoke login such as the telnetd and rlogind commands.

ABORT_LOGIN_ON_MISSING_HOMEDIR=0

the user’s home directory does not exist.

ABORT_LOGIN_ON_MISSING_HOMEDIR=1

Exit the login session if the user’s home

directory does not exist.

Default value:

ABORT_LOGIN_ON_MISSING_HOMEDIR=0

ALLOW_NULL_PASSWORD

This attribute determines whether or not users with a null password can login. It does not

apply to trusted systems, and it applies to standard systems only if the TrustedMigration

product is installed. This attribute is supported only for non-root users managed by

pam_unix (described in pam_unix(5)); this typically includes local and NIS users. For local

users, the system-wide default deﬁned here in /etc/default/security

may be over-

ridden by deﬁning a per-user value in

/var/adm/userdb

(described in userdb(4)).

ALLOW_NULL_PASSWORD=0

Users with a null password cannot login.

ALLOW_NULL_PASSWORD=1

Users with a null password can login.

Default value:

ALLOW_NULL_PASSWORD=1

AUDIT_FLAG

This attribute controls whether or not users are to be audited. It does not apply to trusted

systems, and it applies to standard systems only if the TrustedMigration product is

installed. This attribute is supported for local users and for NIS and LDAP remote users.

The system-wide default deﬁned here may be overridden by deﬁning a per-user value in

/var/adm/userdb (described in userdb(4)). For more information about HP-UX audit-

ing, see audit(5).

AUDIT_FLAG=0 Do not audit.

AUDIT_FLAG=1 Audit.

Default value: AUDIT_FLAG=1

AUTH_MAXTRIES

This attribute controls whether an account is locked after too many consecutive authentica-

tion failures. It does not apply to trusted systems, and it applies to standard systems only

if the TrustedMigration product is installed. This attribute is supported in conﬁgurations

consisting only of local users and/or NIS remote users. The system-wide default deﬁned

here may be overridden by deﬁning a per-user value in /var/adm/userdb (described in

userdb(4)). This feature requires that the

pam_hpsec module is conﬁgured in

/etc/pam.conf . See pam_hpsec(5). When an account has been locked due to too many

authentication failures, root can unlock the account by su’ing to the account or by this com-

mand:

userdbset -d -u username auth_failures

346 Hewlett-Packard Company − 1 − HP-UX 11i Version 2: December 2007 Update