Security attributes provide additional control
of system configurations, adding security enhancements to passwords,
logins, and auditing.
There are more than 20 attributes. These attributes
are described in security(4) . The categories of attributes
are summarized as follows:
- Login attributes
These attributes control
login activities, such as login times, number of logins allowed, and
the number of login failures allowed before locking and account.
- Password attributes
These attributes control
password activities, such as password length, number of characters
and their types, history depth, number of days to change a password,
and password expiration.
- Boot attributes
These attributes control
boot authentication, defining which users are authorized to boot the
system into single-user mode. See boot authentication information
in Chapter 1.
- Switch user (su) attributes
These attributes define
the PATH environment value, root group name for
the su command, and whether or not su should propagate certain environment variables. See su(1) for more information.
- Audit attribute
This attribute controls
whether or not users are to be audited. The audit attribute is checked
during the login process. See audit(5) for more information about
- umask attribute
This attribute controls umask() of all sessions initiated by pam_unix or pam_hpsec. See pam_unix(5) and pam_hpsec(5) for more information. The umask attribute is checked during the login process.
The system uses these files to process the attributes:
Each attribute has a per-user value in only one
of these locations: /etc/password, /etc/shadow, or the user database in /var/adm/userdb. Each attribute and its per-user location are explained in the security(4) manpage.
The system checks what attributes apply in the
The system examines the per-user attribute values
in the /var/adm/userdb user database, the /etc/passwd file, or the /etc/shadow file.
If there is no per-user value, then the system examines
the configurable systemwide default attributes in /etc/default/security.
If there are no configurable systemwide default attributes,
then the system uses the default attributes in /etc/security.dsc.
The security attributes description file, /etc/security.dsc, lists the attributes you can define /etc/default/security and in the user database in /var/adm/userdb. Some attributes are configurable and
some are internal. Do not modify the /etc/security.dsc file in any way.
Configuring Systemwide Attributes
The following steps explain how to define security
attributes on a systemwide basis.
the security(4) manpage, which explains the configurable
systemwide default values for attributes. These attributes are configured
in the /etc/default/security file, which is also
explained in the security(4) manpage.
If an attribute is not defined in the /etc/default/security file, then the default value defined in the /etc/security.dsc file will be used by the system. See the userdb(4) manpage
for an explanation of the /etc/security.dsc file.
a configurable systemwide default, edit the security defaults file, /etc/default/security, with a text editor such as vi. The file is world readable and root writable.
Each line in the /etc/default/security file is either a comment or attribute configuration information.
Comment lines begin with a pound (#) sign. Noncomment
lines are in the form of attribute=value pairs,
for example, PASSWORD_MAXDAYS=30.
Configuring Per-User Attributes
Use the following commands to configure specific
attributes for individual users. When you configure per-user attributes,
they override the systemwide defaults.
Changes the attribute for the specified user to override
the systemwide default defined in the /etc/default/security file. For an example, see Section , and see userdbset(1M) for more information.
Displays the user-defined values for a specific user
or all users. See userdbget(1M) for more information.
Verifies or fixes the user-defined values. See userdbck(1M) for more information.
For example, you can change PASSWORD_MAXDAYS from 60 to 30 days only for user amy. The password for amy is valid
for 30 days instead of 60 days. For all other users, the systemwide
value of 60 days applies.
Use the following procedure to change an attribute
value for a user:
the security(4) manpage, which explains the systemwide
attributes and values, and how to set a per-user value. Not all attributes
have a per-user value.
the manpages for the userdbset, userdbget, and userdbck commands.
which users to modify and which attributes will apply to them. For
example, you might want to have users in an accounting department
change their passwords every 30 days and a classroom of students change
their passwords every quarter.
Use the userdbset command to change an attribute for a user.
The per-user information is stored in a user database
in the /var/adm/userdb directory. The user database
is described in the userdb(4) manpage.
You cannot use the userdbset command to configure all attributes. Some per-user values are defined
in the /etc/passwd and /etc/shadow files. For more information, see security(4).
Use the userdbget command to get user information.
Examples of Defining User-Specific Attributes with userdbset
In the following example, the userdbset command deletes all user-defined attributes for user joe. When joe logs in, the systemwide
defaults in /etc/default/security will then apply
# /usr/sbin/userdbset -d -u joe
Next, userdbset sets the minimum
password length to 7 and sets UMASK to 0022 (octal
022). These changes apply only to joe.
# /usr/sbin/userdbset -u joe MIN_PASSWORD_LENGTH=7 UMASK=0022
In the next example, userdbset displays all attributes for user amy:
# /usr/sbin/userdbget -u amy
In the display, the audit flag is enabled and the last login feature
is disabled for amy.
INACTIVITY_MAXDAYS and the Shadow Password File
The INACTIVITY_MAXDAYS attribute defined in the /etc/default/security file controls whether to expire inactive accounts on a systemwide
basis. To override the systemwide default and configure INACTIVITY_MAXDAYS on a per-user basis, use the useradd -f command or the usermod -f command. Use the userdel command to delete the
per-user configuration. See useradd(1M), usermod(1M),
and userdel(1M) manpages for more information.
You cannot use the userdbset command to configure the INACTIVITY_MAXDAYS on a per-user basis. The INACTIVITY_MAXDAYS attribute is related to the inactivity field of the shadow password
file. The useradd and usermod commands modify the inactivity field of the shadow password file
for the specified user. See the description of INACTIVITY_MAXDAYS in the security(4) manpage for more information.
Troubleshooting the User Database
Use the following procedures to troubleshoot the
Problem 1: A user's security attributes seems to be misconfigured. If you suspect that user information is misconfigured
in the user database, run the following command:
# userdbget -u username
The attributes configured for the user username are displayed. If an attribute is misconfigured,
reconfigure the attribute.
Problem 2: The user database is not functioning properly. If you need to check the user database, enter the
The userdbck command identifies
and repairs problems in the user database.