Description
This parameter controls the default number of days before password expiration
that a user is warned that the password must be changed. For systems running
HP-UX 11.11 and HP-UX 11.0, setting this value requires conversion to trusted
mode. For HP-UX 11.22 and later, shadowed password conversion is required.
This parameter applies only to local non-root users.
Actions
Sets the parameter
PASSWORD_WARNDAYS
in the
/etc/default/security
file.
AccountSecurity.passwordpolicies
Headline
Set up password policies.
Default
N
Description
Set up password policies.
Actions
None.
AccountSecurity.restrict_home
Headline
Restrict the home directory permissions.
Default
N
Description
Home directories should not be world-writable or world-readable. This item
removes world-visibility and group-write from the local account directories,
similar to executing
chmod o-rwx,g-w <dir>
.
Actions
Remove world visibility and group write from the local account home
directories, similar to executing
chmod o-rwx,g-w <home dir>
.
AccountSecurity.root_path
Headline
Remove the dot from the root path.
Default
N
Description
A dot in the root path instructs the shell to look in the current directory for
an executable. This can cause a local command to either override a common
administrative command, or cause an incorrectly typed command to execute
a local command. This allows malicious users to plant rogue commands that
could potentially run malicious software as root. This item removes the current
working directory, "dot" from the root path startup scripts.
Actions
Remove the current working directory "." or any group/world-writable
directory from the root $PATH.
AccountSecurity.serial_port_login
Headline
Disable all serial ports except the console.
Default
Y
Description
The ability to login on a serial port except the console is a rare need.
Historically, these were used for terminal devices or modems, but it is unlikely
that a site would need this capability. This item turns off the process that
listens to the tty devices.
Actions
Comment out serial port tty entries in the
/etc/inittab
file and invoke
init
to reread the file.
AccountSecurity.single_user_password
Headline
Password protect single-user mode.
Default
N
Description
Password protecting single-user mode provides limited protection against
anyone who has physical access to the machine, because they cannot reboot
and have root access without typing the password. However, if an attacker
37