Description
HP-UX stores the encrypted password string for each user in the
/etc/passwd
file. These encrypted strings are viewable by anyone with access to the
/etc/
file system, typically all users. Using the encrypted string, an attacker can find
valid passwords for your system.
Actions
Convert system to trusted mode or use shadowed passwords (dependent on
OS version).
AccountSecurity.lock_account_nopasswd
Headline
Lock the local accounts with no password.
Default
Y
Description
Accounts with no passwords allow any user to execute arbitrary actions on
your server and invite attack. Passwordless accounts should always be against
policy. This item disables accounts with no password.
Actions
Lock all local accounts that do not have a password with the
passwd -l
command.
AccountSecurity.mesgn
Headline
Set
mesg n
for all users.
Default
N
Description
The
mesg n
command forbids messages through
write
by revoking
write
permission to users without appropriate privilege on the user's terminal. For
a description of
mesg
, see write(1). Disabling this feature prevents untrusted
users from contacting users to solicit credentials or other sensitive data.
Actions
Append the line "mesg n" to the files profile, csh.login, d.profile, and d.login
in
/etc
.
AccountSecurity.MIN_PASSWORD_LENGTH
Headline
Set the minimum length of new passwords.
Default
8
Description
The
MIN_PASSWORD_LENGTH
parameter controls the minimum length of new
passwords. This policy is not enforced for the root user on an untrusted system.
Actions
In the
/etc/default/security
file, set the parameter
MIN_PASSWORD_LENGTH
.
AccountSecurity.NOLOGIN
Headline
Non-root users are not allowed to log in if
/etc/nologin
exists.
Default
N
Description
The
NOLOGIN
parameter controls non-root login with the
/etc/nologin
file.
Actions
Sets the parameter
NOLOGIN
=1 in the
/etc/default/security
file.
AccountSecurity.NUMBER_OF_LOGINS_ALLOWED
Headline
Enter the maximum number of logins per user.
Default
1
Description
The
NUMBER_OF_LOGINS_ALLOWED
parameter controls the number of
simultaneous sessions allowed per user. This is applicable only for non-root
users. This limits user accounts sharing and alerts users to a compromised
account.
Actions
Sets the parameter
NUMBER_OF_LOGINS_ALLOWED
in the
/etc/default/
security
file.
35