HP-UX Standard Mode Security Extensions B.11.23.02 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software

Table 1-1 lists the security features and corresponding attributes that are now available in standard

mode. These features were previously available only in trusted mode.

Table 1-1 Security Features and Attributes Now Available in Standard Mode

Attribute Name for System-Wide Default in

/etc/default/security

Security Features for Standard Mode HP-UX

AUTH_MAXTRIES

Locks account after too many authentication failures

DISPLAY_LAST_LOGIN

Displays last successful and last unsuccessful login

PASSWORD_HISTORY_DEPTH

Defines password history depth

ALLOW_NULL_PASSWORD

Prevents logins with a null password

LOGIN_TIMES

Restricts logins to specific time periods

INACTIVITY_MAXDAYS

Expires inactive accounts

AUDIT_FLAG

Enables or disables auditing for users

Table 1-2 lists the existing security attributes that can now also be configured on a per-user basis.

Table 1-2 Revised Security Features and Attributes Now Also Available on a Per-User Basis

Attribute nameExisting Security Features

PASSWORD_MIN_LOWER_CASE_CHARS

PASSWORD_MIN_UPPER_CASE_CHARS

PASSWORD_MIN_DIGIT_CHARS

PASSWORD_MIN_SPECIAL_CHARS

Specifies the minimum number of lower-case,

upper-case, digits, or special characters required in a

password when changed.

MIN_PASSWORD_LENGTH

Specifies the minimum number of characters required

in a new password.

UMASKSpecifies the umask value for sessions to be initiated

through pam_unix or pam_hpsec.

NUMBER_OF_LOGINS_ALLOWED

Specifies the number of simultaneous logins allowed

per user.

User Database for Per-User Configurations

In previous HP-UX systems, many security attributes and password policy restrictions were set

only on a system-wide basis. These security features applied only for all users or none of the

users.

Now several attributes can optionally be configured uniquely for each user overriding the

system-wide defaults for specified users. See Table 1-2. To make per-user configurations, use

the userdbset command. To access this information, use the userdbget command. Refer to

the userdbget(1M) and userdbset(1M) manpages for more information.

The per-user information is stored in a user database in the /var/adm/userdb directory. The

user database is described in the userdb(4) manpage.

Not all attributes can have a per-user value. Refer to the security(4) manpage which explains all

the attributes.

The INACTIVITY_MAXDAYS attribute defined in the /etc/default/security file controls

whether to expire inactive accounts on a system-wide basis. To override the system-wide default

and configure INACTIVITY_MAXDAYS on a per-user basis, use the useradd -f command or

the usermod -f command. Use the userdel command to delete the per-user configuration.

Refer to the useradd(1M), usermod(1M), and userdel(1M) manpages.

The userdbset command cannot be used to configure the INACTIVITY_MAXDAYS attribute

on a per-user basis. The INACTIVITY_MAXDAYS attribute is related to the inactivity field of the

shadow password file. The useradd and usermod commands modify the inactivity field of the

What’s in This Version 11