Manualshelf

Security Management Guide (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
61626364656667686970
Safeguard System Security
Security Management Guide 522283-021
3 - 9
Controlling the Logon Process With the Safeguard
Software
A timeout of the logon process occurs determined by the value of
AUTHENTICATE-FAIL-TIMEOUT.
The user ID is frozen if AUTHENTICATE-FAIL-FREEZE is ON.
You might want to change the value of AUTHENTICATE-FAIL-TIMEOUT to a slightly
longer period, further slowing down an intruder’s attempts to break in. However, avoid
unreasonably long periods. A user who accidentally exceeds
AUTHENTICATE-MAXIMUM-ATTEMPTS causes the process controlling logon at the
terminal to become locked for duration of the timeout period. The only way to recover
from this situation is to start a new process at the terminal or stop the CPU in which the
process is running.
Do not set AUTHENTICATE-FAIL-FREEZE to ON unless your policy specifically
requires it. An intruder could easily freeze all the IDs on a system by simply exceeding
AUTHENTICATE-MAXIMUM-ATTEMPTS for each user.
Password Configuration
Your security policy might require some control over passwords. For example, if your
policy requires that everyone use a password of at least six characters, use the
PASSWORD-MINIMUM-LENGTH attribute as follows:
=ALTER SAFEGUARD, PASSWORD-MINIMUM-LENGTH 6
If the passwords are stored in encrypted form, they are unreadable even if someone
gains access to the USERID file. The following SAFECOM command causes
passwords to be stored in encrypted form:
=ALTER SAFEGUARD, PASSWORD-ENCRYPT ON
This attribute does not cause existing passwords to be encrypted. They are encrypted
the next time they are changed. Therefore, have all users change their passwords after
you set this attribute.
If your policy discourages reuse of passwords, consider the PASSWORD-HISTORY
attribute. It specifies a number of passwords to be retained in the Safeguard password
history file for each user. The user cannot change the password to anything in this list.
The following command sets the PASSWORD-HISTORY to 10:
=ALTER SAFEGUARD, PASSWORD-HISTORY 10
Controlling the Logon Process With the Safeguard Software
Normally TACL is responsible for the logon process. However, if the Safeguard
software is running, TACL enforces special logon security features that are available
as Safeguard configuration options. Some of the special features that can be controlled
with Safeguard global configuration attributes:
Warning of password expiration (The warning occurs during the PASSWORD-
MAY-CHANGE period.)