security(4) security(4)
NAME [Toc] [Back]
security - security defaults configuration file
DESCRIPTION [Toc] [Back]
A number of system commands and features are configured based on
certain parameters defined in the /etc/default/security configuration
file. This file must be world readable and root writable.
Each line in the file is treated either as a comment or as
configuration information for a given system command or feature.
Comments are denoted by a # at the beginning of a line. Noncomment
lines are of the form, parameter=value.
If any parameter is not defined or is commented out in this file, the
default behavior detailed below will apply.
Parameter definitions, valid values, and defaults are defined as
follows:
ABORT_LOGIN_ON_MISSING_HOMEDIR [Toc] [Back]
This parameter controls login behavior if a user's home
directory does not exist. Note that this is only
enforced for non-root users and only applies to the
login(1) command or those services that indirectly
invoke login(1) such as the telnet
commands.
ABORT_LOGIN_ON_MISSING_HOMEDIR=0 Login with '/' as
the home directory if the user's home directory does
not exist.
ABORT_LOGIN_ON_MISSING_HOMEDIR=1 Exit the login
session if the user's home directory does not exist.
Default value: ABORT_LOGIN_ON_MISSING_HOMEDIR=0
BOOT_AUTH This parameter controls whether authentication is
required to boot the system into single user mode. If
enabled, the system cannot be booted into single user
mode until the password of an authorized user is
provided. This parameter does not apply to trusted
systems. However, if boot authentication is enabled on
a standard system, then when the system is converted to
a trusted system, boot authentication will also be
enabled as default for the trusted system.
BOOT_AUTH=0 Boot authentication is turned OFF.
BOOT_AUTH=1 Boot authentication is turned ON.
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: Sep 2004
security(4) security(4)
Default value: BOOT_AUTH=0
BOOT_USERS [Toc] [Back]
This parameter defines the names of users who are
authorized to boot the system into single user mode
from the console. Names are separated by a comma (,).
It only takes effect when boot authentication is
enabled. Refer to the description of the BOOT_AUTH
parameter. The BOOT_USERS parameter does not apply to
trusted systems. However, when a standard system is
converted to a trusted system, this information is
translated.
BOOT_USERS=mary,jack
Other than the root user, user mary or jack can also
boot the system into single user mode from the console.
Default value: BOOT_USERS=root
MIN_PASSWORD_LENGTH [Toc] [Back]
This parameter controls the minimum length of new
passwords. It is not applicable to the root user on an
untrusted system.
MIN_PASSWORD_LENGTH=N New passwords must contain at
least N characters. For untrusted systems, N can be
any value from 6 to 8. For trusted systems, N can be
any value from 6 to 80.
Default value: MIN_PASSWORD_LENGTH=6
NOLOGIN This parameter controls whether non-root login can be
disabled by the /etc/nologin file. Note that this
parameter only applies to the applications that use
session management services provided by pam_hpsec(5) as
configured in /etc/pam.conf, or those services that
indirectly invoke login(1) such as the telnetd(1M) and
rlogind(1M) commands. Other services may or may not
choose to enforce the /etc/nologin file.
NOLOGIN=0 Ignore the /etc/nologin file and do not
exit if the /etc/nologin file exists.
NOLOGIN=1 Display the contents of the /etc/nologin
file and exit if the /etc/nologin file exists.
Default value: NOLOGIN=0
NUMBER_OF_LOGINS_ALLOWED [Toc] [Back]
This parameter controls the number of simultaneous
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: Sep 2004
security(4) security(4)
logins allowed per user. Note that this is only
enforced for non-root users and only applies to the
applications that use session management services
provided by pam_hpsec(5) as configured in
/etc/pam.conf, or those services that indirectly invoke
login(1), such as the telnet
commands.
NUMBER_OF_LOGINS_ALLOWED=0 Any number of logins are
allowed per user.
NUMBER_OF_LOGINS_ALLOWED=N N number of logins are
allowed per user.
Default value: NUMBER_OF_LOGINS_ALLOWED=0
PASSWORD_HISTORY_DEPTH [Toc] [Back]
This parameter controls the password history depth. A
new password is checked only against the number of most
recently used passwords stored in password history for
a particular user. A user is not allowed to re-use a
previously used password.
PASSWORD_HISTORY_DEPTH=N A new password is checked
against only the N most recently used passwords for a
particular user.
A configuration of password history depth of 2 prevents
users from alternating between two passwords. The
maximum password history depth supported is 10 and the
minimum password history depth supported is 1. A depth
configuration of more than 10 will be treated as 10,
and a depth configuration of less than 1 will be
treated as 1.
The password history depth configuration is on a system
basis and is supported in trusted system for users in
files repository only. This feature does not support
the users in NIS or NISPLUS repositories. Once the
feature is enabled, all the users on the system are
subject to the same check. If this parameter is not
configured, the password history check feature is
automatically disabled. When the feature is disabled,
the password history check depth is set to 1.
A password change is subject to all of the other rules
for a new password including a check with the current
password.
Default value: PASSWORD_HISTORY_DEPTH=1
Hewlett-Packard Company - 3 - HP-UX 11i Version 2: Sep 2004
security(4) security(4)
PASSWORD_MIN_<type>_CHARS
Parameters of this form are used to require new
passwords to have a minimum number of characters of
particular types (upper case, lower case, digits or
special characters). This can be helpful in enforcing
site security policies about selecting passwords that
are not easy to guess.
PASSWORD_MIN_UPPER_CASE_CHARS=N Specifies that a
minimum of N upper-case characters are required in a
password when changed.
PASSWORD_MIN_LOWER_CASE_CHARS=N Specifies that a
minimum of N lower-case characters are required in a
password when changed.
PASSWORD_MIN_DIGIT_CHARS=N Specifies that a minimum
of N digit characters are required in a password when
changed.
PASSWORD_MIN_SPECIAL_CHARS=N Specifies that a minimum
of N special characters are required in a password when
changed.
Default value: The default for each of these parameters
is zero.
PASSWORD_MAXDAYS [Toc] [Back]
This parameter controls the default maximum number of
days that passwords are valid. This value, if
specified, is used by the authentication subsystem
during the password change process in the case where
aging restrictions do not already exist for the given
user. The value takes effect after the password
change. This parameter applies only to local users and
does not apply to trusted systems. The passwd -x
option can be used to override this value for a
specific user.
PASSWORD_MAXDAYS=N A new password is valid for up to
N days, after which the password must be changed.
Default value: PASSWORD_MAXDAYS=-1 password aging is
turned off.
PASSWORD_MINDAYS [Toc] [Back]
This parameter controls the default minimum number of
days before a password can be changed. This value is
used by the authentication subsystem during the
password change process in the case where aging
restrictions do not already exist for the user. The
Hewlett-Packard Company - 4 - HP-UX 11i Version 2: Sep 2004
security(4) security(4)
value is stored persistently and takes effect after the
password change. This parameter applies only to local
users and does not apply to Trusted Systems. The
passwd -n option can be used to override this value for
a specific user.
PASSWORD_MINDAYS=N A new password cannot be changed
until at least N days since it was last changed.
Default value: PASSWORD_MINDAYS=0
PASSWORD_WARNDAYS [Toc] [Back]
This parameter controls the default number of days
before password expiration that a user is to be warned
that the password must be changed. This value, if
specified, is used by the authentication subsystem
during the password change process in the case where
aging restrictions do not already exist for the given
user. The value takes effect after the password
change. This parameter applies only to local users on
Shadow Password systems. The passwd -w option can be
used to override this value for a specific user.
PASSWORD_WARNDAYS=N Users are warned N days before
their password expires.
Default value: PASSWORD_WARNDAYS=0 (no warning)
SU_DEFAULT_PATH [Toc] [Back]
This parameter defines a new default PATH environment
value to be set when su to a non-superuser account is
done. Refer to su(1).
SU_DEFAULT_PATH=new_PATH
The PATH environment variable is set to new_PATH when
the su command is invoked. The path value is not
validated. This parameter does not apply to a
superuser account, and is applicable only when the "-"
option is not used with the su command.
Default value: If this parameter is not defined or if
it is commented out, PATH is not changed.
SU_KEEP_ENV_VARS [Toc] [Back]
This parameter forces su to propagate certain 'unsafe'
environment variables to its child process despite the
security risk of doing so. Refer to su(1).
By default, su does not export the environment
variables HOME, ENV, IFS, SHLIB_PATH or LD_* because
Hewlett-Packard Company - 5 - HP-UX 11i Version 2: Sep 2004
security(4) security(4)
they could be maliciously misused. Any combination of
these can be specified in this entry, with a comma
separating the variables. Currently, no other
environment variables may be specified in this way.
This may change in future HP-UX releases as security
needs require.
SU_KEEP_ENV_VARS=var1,var2,...,varN
Default value: If this parameter is not defined or if
it is commented out, none of these environment
variables will be propagated by the su command.
SU_ROOT_GROUP [Toc] [Back]
This parameter defines the root group name for the su
command. Refer to su(1).
SU_ROOT_GROUP=group_name The root group name is set to
the specified symbolic group name. The su command
enforces the restriction that a non-superuser must be a
member of the specified root group to be allowed to su
to root. This does not alter password checking.
Default value: If this parameter is not defined or if
it is commented out, there is no default value. In
this case, a non superuser is allowed to su to root
without being bound by root group restrictions.
UMASK This parameter controls umask(2) of all sessions
initiated via pam_unix(5) and/or pam_hpsec(5). It
accepts values from 0 to 0777 as an unsigned octal
integer (leading zero can be omitted).
UMASK=default_umask
The umask is set or restricted further with the value
of default_umask. For trusted systems, the umask is
also restricted so as not to exceed SEC_DEFAULT_MODE
defined in /usr/include/hpsecurity.h.
Default value: UMASK=0
Notes [Toc] [Back]
Use the functions defined in secdef(3) to read the values of the
parameters defined in this file.
AUTHOR [Toc] [Back]
The security file was developed by HP.
FILES [Toc] [Back]
Hewlett-Packard Company - 6 - HP-UX 11i Version 2: Sep 2004
security(4) security(4)
/etc/default/security
SEE ALSO [Toc] [Back]
login(1), passwd(1), su(1), init(1M), secdef(3), pam_hpsec(5),
pam_unix(5).
Hewlett-Packard Company - 7 - HP-UX 11i Version 2: Sep 2004 [ Back ] |
