Table of Contents
Advertisement
configuring a umask for all of the user shells, HP-UX 11.22 and later have an
option in the /etc/default/security file to set the default system umask.
This parameter controls umask(2) of all sessions initiated with pam_unix(5)
which can then be overridden by the shell. NOTE: If your system is converted
to trusted mode, this parameter will be overridden by the trusted system
default umask, which is 077.
Actions
Set the selected umask in all known shell startup scripts.
AccountSecurity.umaskyn
Headline
Set the default umask.
Default
N
Description
Set the default umask.
Actions
None.
AccountSecurity.unowned_files
Headline
Assign unowned files to the bin user.
Default
N
Description
Do not leave files owned by users or groups that do not have meaning to the
system. If a user or group is later defined with the uid or gid that owns that
file, the data could be exposed to potentially unauthorized access. This can
happen when a user is deleted without cleaning up the file system. This item
will look for files that are not owned by a defined system user or group and
assign those files to bin.
Actions
Find all local files that are not owned by a defined system user and/or group.
Assign those files to bin. Remove world-writable, suid and sgid bits from
these files.
AccountSecurity.user_dot_files
Headline
Remove world-write permission from local user account dot files.
Default
Y
Description
Dot files, or those that begin with a "." are hidden from standard file lists and
are often used for configuration. The combination of being less visible and
being used to change the behavior of the user account means that if an incorrect
permission is set (perhaps with a loose umask), the account could be subject
to attack. This item reviews the local user account store, finds the local home
directories, and removes the world-writeable bit, if any. This is a simple, and
relatively safe operation.
Actions
Find all local non-root login home directories and ensure that any "dot" files
within those directories do not have world-writable permissions.
AccountSecurity.user_rc_files
Headline
Delete .shosts, .rhosts, and .netrc from the local user accounts
Default
Y
Description
.shosts, .rhosts, and .netrc are files that sit in the home directories of users and
are used to create trust relationships between given users on a system and
other systems. Such non-interactive trust is dangerous as it creates the potential
for an attacker to leverage those trust relationships if they manage to expose
an account. If there is no business need for static trust, delete these files.
Actions
Find all local non-root login home directories, and delete the files .shosts,
.rhosts, and .netrc if found within those directories.
39
Advertisement
Table of Contents
