Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
61626364656667686970
3 HP-UX Standard Mode Security Extensions
This chapter describes the HP-UX Standard Mode Security Extensions (HP-UX SMSE). The
following topics are discussed:
Overview (Section 3.1)
Security attributes and the user database (Section 3.2)
3.1 Overview
HP-UX Standard Mode Security Extensions (HP-UX SMSE) is a group of features that
enhances both user and operating system security. HP-UX SMSE includes enhancements
or changes to the HP-UX auditing system, passwords, and logins for systems in standard
mode. Previously, these features were supported only on systems converted to trusted
mode. With HP-UX SMSE, you can use these features on a standard mode system.
NOTE: HP does not recommend that you use HP-UX SMSE on systems running in trusted
mode. HP-UX SMSE makes available in standard mode many account and password
policies currently available only by converting an HP-UX system to trusted mode. Policies
configured with HP-UX SMSE are not enforced on systems running in trusted mode.
To determine whether a system has been converted to trusted mode, check for the
following file:
/tcb/files/auth/system/default
If this file exists, the system is running in trusted mode. To convert the system back to
standard mode, use the sam(1M) command.
Refer to security(4) for more information on configurations supported with each of the
HP-UX SMSE security features.
HP-UX SMSE offers a new feature, user database. Previously, all HP-UX security attributes
and password policy restrictions were set on a systemwide basis. The introduction of the
user database enables you to set security attributes on a per-user basis that overrides
systemwide defaults.
The following trusted mode features are available in standard mode with HP-UX SMSE:
Audit all users and events on a system
Display the last successful and unsuccessful user logins
Lock a user account if there are too many authentication failures
Display password history
Expire inactive accounts
Prevent users from logging in with a null password
Restrict user logins to specific time periods
3.1 Overview 61