1. Manuals
  2. Brands
  3. HP Manuals
  4. Software
  5. UX Bastille
  6. User manual

C Question Modules - HP UX Bastille User Manual

Version b.3.3
Hide thumbs
Table of Contents

Advertisement

C Question modules

AccountSecurity.ABORT_LOGIN_ON_MISSING_HOMEDIR
Headline
Default
Description
Actions
AccountSecurity.atuser
Headline
Default
Description
Actions
AccountSecurity.AUTH_MAXTRIES
Headline
Default
Description
Actions
AccountSecurity.block_system_accounts
Headline
Default
Description
Actions
AccountSecurity.create_securetty
Headline
Do not allow logins unless the home directory exists.
N
The ABORT_LOGIN_ON_MISSING_HOMEDIR parameter controls login behavior
if a user's home directory does not exist.
Set ABORT_LOGIN_ON_MISSING_HOMEDIR=1 in /etc/security.
Restrict the use of at to administrative accounts.
N
The at command allows users to submit jobs for the system to run at a
particular time. Administrators can use at to defer jobs to run when the system
is otherwise unused. However, executing jobs later or automatically represents
a privilege that can be abused and makes actions slightly harder to track. Many
sites choose to restrict the at command to administrative accounts. HP suggests
restricting permission to new administrators until they understand how it can
be abused and which users need access. Create the /etc/at.allow file of
users with permission. This file can be edited later. If this file is not created,
all users have permission to use the at command.
Delete the file at.deny
Create or replace the file at.allow with a single entry for user root
Set permissions to 0400
Change ownership to root:sys
Lock account after too many consecutive authentication failures.
N
The AUTH_MAXTRIES parameter controls whether an account is locked after
too many consecutive authentication failures. It does not apply to trusted
systems. This parameter is supported for users in all name server switch
repositories, such as local, NIS, and LDAP.
Set AUTH_MAXTRIES=1 in /etc/security.
Disable login access to the system accounts.
N
System accounts are provisioned on a new system, for example bin, sys, uucp,
et-cetera. These accounts (except for root) exist to own files, processes, or
system resources but are not generally logged into. Because these accounts
have broad access to the system, HP recommends disabling them. This item
disables default system accounts.
Lock the account and change the user shell to /bin/false for the following
users: www sys smbnull iwww owww sshd hpsmh named uucp nuucp adm
daemon bin lp nobody noaccess hpdb useradm.
Disallow root logins from network TTYs.
33

Advertisement

Table of Contents
loading

Related Manuals for HP UX Bastille

Related Content for HP UX Bastille

This manual is also suitable for:

Ux bastille b.3.3

Table of Contents