Security Attributes and the User Database

Previously, in standard mode, all HP-UX security attributes and password policy restrictions were set on a systemwide basis. The introduction of the user database enables you to set security attributes on a per-user basis, which override systemwide defaults.

System Security Attributes

A security attribute defines how to control security configurations, such as passwords, logins, and auditing. The security attributes description file, /etc/security.dsc, lists the attributes that can be defined either in /etc/default/security, in the user database in /var/adm/userdb, or in both files. Some attributes are configurable and some are internal.




	CAUTION: Do not modify the `/etc/security.dsc` file in any way.

When a user logs in, the system checks for applicable security attributes in the following order:

The system examines per-user attributes in the following locations:
- /var/adm/userdb
- /etc/passwd
- /etc/shadow
  NOTE: For each per-use attribute, a value is stored in one of the three files above. Refer to security(4) to see which attributes are stored in each file.
If there is no per-user value, then the system examines the configured systemwide attributes in /etc/default/security.
If there are no configured systemwide attributes, then the system uses the default attributes in /etc/security.dsc.

Configuring Systemwide Attributes

To configure systemwide attributes, follow these steps:

Plan your configuration using available resources. Refer to security(4) for information about configuring systemwide attributes.
To change a systemwide default, edit the /etc/default/security file with a text editor such as vi. Comments begin with a pound sign (#). Attributes are written in attribute=value format.
For example, to set the systemwide minimum number of uppercase characters in a password to two (2), enter the following values into /etc/default/security:
PASSWORD_MIN_UPPER_CASE_CHARS=2




	NOTE: Changes to systemwide security attributes do not take effect immediately. Password attributes take effect the next time users change their passwords. Login attributes take effect the next time users log in.

User Database Components

The user database feature of HP-UX SMSE includes files, commands, manpages, and per-user attributes you can apply to specific users on your HP-UX system. All these elements of the user database are described in the following sections.

Configuration Files

Table 4-1 briefly describes the files you use with the user database.

Table 4-1 User Database Configuration Files

File	Description
`/var/adm/userdb`	Stores most per-user information.

Commands

Table 4-2 briefly describes the commands you can use to modify and administer entries in the user database.

Table 4-2 User Database Commands

Command	Description
userdbset	Changes attribute values configured in the user database.
userdbget	Displays attribute values configured in the user database.
userdbck	Verifies the integrity of the information in the user database.
userstat	Reports the status of local user accounts.

Attributes

The following security attributes are available for individual users:

Table 4-3 User Attributes

Attribute	Description
`ALLOW_NULL_PASSWORD`	Allows or denies login with a null password.
`AUDIT_FLAG`	Audits or stops auditing the user.
`AUTH_MAXTRIES`	Defines the number of login failures allowed before a user is locked out of the system.
`DISPLAY_LAST_LOGIN`	Displays information about the user's last login.
`LOGIN_TIMES`	Restricts login time periods.
`MIN_PASSWORD_LENGTH`	Defines the minimum password length.
`NUMBER_OF_LOGINS_ALLOWED`	Defines the number of simultaneous logins allowed per user.
`PASSWORD_HISTORY_DEPTH`	Defines the password history depth.
`PASSWORD_MIN_LOWER_CASE_CHARS`	Defines the minimum number of lowercase characters required in a password.
`PASSWORD_MIN_UPPER_CASE_CHARS`	Defines the minimum number of uppercase characters required in a password.
`PASSWORD_MIN_DIGIT_CHARS`	Defines the minimum number of digit characters required in a password.
`PASSWORD_MIN_SPECIAL_CHARS`	Defines the minimum number of special characters required in a password.
`UMASK`	Defines the umask for file creation.




	NOTE: The previous list contains only security attributes that can be configured in the user database. For a complete list of HP-UX system security attributes, refer to security(4).

Manpages

Table 4-4 briefly describes the manpages you use with the user database.

Table 4-4 User Database Manpages

Manpage	Description
userdb(4)	Provides an overview of the use of the user database.
userdbset(1M)	Describes userdbset functionality and syntax.
userdbget(1M)	Describes userdbget functionality and syntax.
userdbck(1M)	Describes userdbck functionality and syntax.
userstat(1M)	Describes the userstat functionality and syntax.

Configuring Attributes in the User Database

In previous HP-UX systems, security attributes and password policy restrictions were set a systemwide basis. With HP-UX SMSE, you can configure some security attributes on a per-user basis. Attributes configured per-user override systemwide configured attributes.

To modify a user's attribute values, follow these steps:

Decide which users to modify and which attributes will apply to them.
For example, you want user joe to be able to log in to the system only from 8am to 5pm on Mondays.
Change the attributes using the userdbset command as follows:
# userdbset -u user-name attribute-name=attribute-value
For example, to specify that user joe can log in to the system only from 8am to 5pm, enter:
# userdbset -u joe LOGIN_TIMES=Mo0800-1700

Troubleshooting the User Database

Use the following procedures to troubleshoot the user database.

Problem 1: A user's security attributes seems to be misconfigured. If you suspect that user information is misconfigured in the user database, run the following command:

# userdbget -u username

The attributes configured for the user username are displayed. If an attribute is misconfigured, reconfigure the attribute. Refer to “Configuring Attributes in the User Database” for instructions.

Problem 2: The user database is not functioning properly. If you need to check the user database, run the following command:

# userdbck

The userdbck command identifies and repairs problems in the user database.