2 FORUM TOPICS HP-UX UNIX Security Sharing files in HP-UX UNIX with WindowsExcaliburEDGE Password ValidationHigh Level/Overview of these 3 topics. Not much detail. Designed to make you aware of what is available.The audience is UNIX users.3 separate topicsAll relate to security on your UNIX server
3 Excalibur Systems Support Manager PresenterRod HunleyExcalibur Systems Support ManagerP2 Energy SolutionsIntroduce selfGo around room and have them introduce self. State your name, company, and title/job description
4 STS Staff Tony Castillo Jim Cannon Rod Hunley Byron Ward Kham LaychayphaTony 10 +Jim almost 10Rod 8+ByronKhamPaul Idland returning in November
5 OVERVIEW HP-UX UNIX Security Sharing files in HP-UX UNIX with Windows Importance of securityDefinitionsHP-UX with un-trusted modeHP-UX with shadow passwordsHP-UX with TCB (trusted mode)HP-UX & PAM/NTLMHP-UX & TCB & PAM/NTLMSharing files in HP-UX UNIX with WindowsSAMBACIFS/90003 Major TopicsHP-UXCIFS/9000EDGE/SB+ Password Validation
7 HP-UX UNIX Security Importance of security Protect corporate information from:theft, corruption, or unauthorized accessComply with internal IT standardsComply with Sarbanes-Oxley (SOX) auditsWhy are you here today?Most likely you are an admin and security is one of your most important job responsibilities.SOX topics are very prevalent at this year’s conference.
8 HP-UX UNIX Security Definitions What is a login? The UNIX program which reads and verifies a user's user name and password and starts an interactive sessionWhy is a user name important?Only authenticated users are allowed access to the UNIX serverAccess to programs/files are based on user names and groupsHow does the verification work?The entered user’s name is compared to a list of names in a system file, and then the entered password is compared the encrypted password stored in a system fileUNIX is a multi-user, multitasking OS.Have to have a way to manage multiple logins.Can be multiple logins for same user or many logins for different users.Login on UNIX.useridpasswd
9 HP-UX UNIX Security HP-UX (un-trusted mode) Un-trusted mode Concept Standard delivery on HP-UX serversConceptAuthenticate & validate against /etc/passwd fileUn-trusted is the “out of the box” security implementation for HP-UX.Authenticate – is this a valid useridValidate – check for valid user and valid password
10 HP-UX UNIX Security HP-UX (un-trusted mode) /etc/passwd file structure (colon delimited)usernameencrypted passworduser numbergroup number4 optional text fields separated by commasuser’s home directorystartup shellMost of you have dealt with the /etc/passwd file on UNIX, and might be familiar with it.We will review the structure.4 optional are : Real Name, Office Location, Office Phone, Home PhoneHOME is almost always /home/USERNAMEStartup Shell should be /usr/bin/ksh
11 HP-UX UNIX Security #cat /etc/passwd root:/.57wLPQp2cV6:0:3::/:/sbin/kshrootlike:/.57wLPQp2cV6:0:3::/:/sbin/kshdaemon:*:1:5::/:/sbin/shbin:*:2:2::/usr/bin:/sbin/shsys:*:3:3::/:adm:*:4:4::/var/adm:/sbin/shuucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucicoHere is an example listing of the /etc/passwd file1st 15 entries are OS related and created when the OS is loaded/ignited by HP before delivery to clientGo over root field by field.Ask about /sbin/ksh as shell. Why not /usr/bin/ksh? /usr not mounted when system starts up, wouldn’t be able to find itAsk about rootlike? What is it? Why is it bad? Why is it good?
12 HP-UX UNIX Security lp:*:9:7::/var/spool/lp:/sbin/sh nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucicohpdb:*:27:1:ALLBASE:/:/sbin/shnobody:*:-2:-2::/:www:*:30:1::/:webadmin:*:40:1::/usr/obam/server/nologindir:/usr/bin/falsesmbnull:*:101:101:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/shopc_op:*:777:77:OpC default operator:/home/opc_op:/usr/bin/kshunidata:CuRdujgUu53qA:200:200:,,,:/home/unidata:/usr/bin/kshHere the rest of the OS ids.Point out webadmin id. Shell is /usr/bin/false means that it can’t be used to login to systemPoint out unidata user. State that it is on everyone’s server, P2 uses it for login access to client’s system. Point out unidata group, 200.
13 HP-UX UNIX Security HP-UX (un-trusted mode) Ownership & permissions of important filesIssues with this security setupEncrypted password is in a world readable filePossible that file would be read and passwords “cracked”#ls -la /etc/passwd-r--r--r root sys Aug 20 15:39 /etc/passwdNow that we have a little background on userids and the /etc/passwd file, we can examine the issues with an un-trusted system.Ownership and permissions on /etc/passwd file is the biggest issue that IT auditors have with an un-trusted system.Show that world has read on the file.
14 HP-UX UNIX Security HP-UX with shadow passwords Concept Requirements Move encrypted passwords to a file that is secureRequirementsHP-UX 11.11(i) OnlyImplementationInstall HP supplied software bundleRun conversion programRebootNew term – shadow passwordsIssues? Compatibility, can programs that access /etc/passwd function properly.Leave /etc/password structure in place but move the file with encrypted passwords to another location.
15 HP-UX UNIX Security HP-UX with shadow passwords Verification of a shadow password bundle installation#swlist# Initializing...# Contacting target "siafu.petroleumplace.com"...## Target: siafu.petroleumplace.com:/# Bundle(s):.ShadowPassword B HP-UX Shadow Password BundleHow would you know if your server had shadow passwords enabled?Do a swlist as root, look for the Bundle.
16 HP-UX UNIX Security HP-UX with shadow passwords Structure of /etc/password with shadow passwordsEncrypted password is moved and replaced with an “x”#cat /etc/passwd (after conversion)root:x:0:3::/:/sbin/kshrootlike:x:0:3::/:/sbin/kshdaemon:x:1:5::/:/sbin/shbin:x:2:2::/usr/bin:/sbin/shsys:x:3:3::/:adm:x:4:4::/var/adm:/sbin/shuucp:x:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucicolp:x:9:7::/var/spool/lp:/sbin/shnuucp:x:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucicohpdb:x:27:1:ALLBASE:/:/sbin/shnobody:x:-2:-2::/:www:x:30:1::/:webadmin:x:40:1::/usr/obam/server/nologindir:/usr/bin/falsesmbnull:x:101:101:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/shopc_op:x:777:77:OpC default operator:/home/opc_op:/usr/bin/kshunidata:x:200:200:,,,:/home/unidata:/usr/bin/ksh#ls -la /etc/passwd-r--r--r root sys Aug 20 15:39 /etc/passwdHere is an example of a system with SHADOW passwords enabled.Notice that the encrypted password has been replaced by an “x”.Everything else is the same. Same ownerships and permissions as un-trusted.
17 HP-UX UNIX Security #ls -la /etc/shadow -r root sys Aug 20 15:39 /etc/shadow#cat /etc/shadowroot:/.57wLPQp2cV6:12650::::::rootlike:/.57wLPQp2cV6:12650::::::daemon:*:12650::::::bin:*:12650::::::sys:*:12650::::::adm:*:12650::::::uucp:*:12650::::::lp:*:12650::::::nuucp:*:12650::::::hpdb:*:12650::::::nobody:*:12650::::::www:*:12650::::::webadmin:*:12650::::::smbnull:*:12650::::::opc_op:*:12650::::::unidata:CuRdujgUu53qA:12650::::::New file - /etc/shadowWhy is this better?Notice the ownership is same as /etc/passwd.Notice the permissions are different. ONLY root user has read access. EVERYONE else has NO access.Notice the structure of the file:userencrypted passworda common useridNOTHING ELSE
18 HP-UX UNIX Security HP-UX with TCB (Trusted Mode) What is TCB? The Hewlett-Packard C2-level trusted system consists of the HP-UX operating system configured in trusted mode and its commands, utilities, and subsystems along with supported hardware. This results in a system designed to meet the criteria of a C2-level trusted system, as described in Section 2.2 of the Department of Defense Trusted Computer System Evaluation Criteria , DOD STD, December 1985, and the E3/FC2 security level as defined by the Information Technology Security Evaluation Criteria (ITSEC) established by the European Community.New term – TCB Trusted Computing BaseTCB referred to as Trusted Mode or Trusted SystemWhat does it all mean? It means that it meats a set of DOD criteria
19 HP-UX UNIX Security HP-UX with TCB (Trusted Mode) Why is TCB better than un-trusted system or shadow password system?Provides more stringent password authentication and system auditingTerminal access controlTime-base access controlsSee references for link to the “Administering Your HP-UX Trusted System”.Password – Format: System generated or user selectedAgingGeneral Account PoliciesTerminal Policies – unsuccessful login tries, delay between retries, login timeout valueTerminal access – which terminals a user can login fromTime-base – what days and what times a user has accessAuditing – Very detailed
20 HP-UX UNIX Security HP-UX with TCB (Trusted Mode) How is it implemented?An understanding of the trusted system structureA lot of planningTrain support personnelRun SAM to run conversion to TCBBe prepared initially for questions/problemsRead the guide and understand what you are getting intoCan’t do enough planningHave at least one backup personCheck your /etc/passwd file with pwck and /etc/group with grpck before running the conversion; if there are problems, conversion will fail.After conversion, you MUST modify /etc/profile to put a umask 002 statement so that user create files get created with 664 permissions.Be familiar with the utility programs that unlock user accounts; Sam and command line
21 HP-UX UNIX Security HP-UX with TCB (Trusted Mode) Encrypted password is moved and replaced with an “*”#cat /etc/passwd (after conversion to trusted system)root:*:0:3::/:/sbin/kshdaemon:*:1:5::/:/sbin/shbin:*:2:2::/usr/bin:/sbin/shsys:*:3:3::/:adm:*:4:4::/var/adm:/sbin/shuucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucicolp:*:9:7::/var/spool/lp:/sbin/shnuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucicohpdb:*:27:1:ALLBASE:/:/sbin/shwww:*:30:1::/:webadmin:*:40:1::/usr/obam/server/nologindir:/usr/bin/falsesmbnull:*:103:103:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/shopc_op:*:777:77:OpC default operator:/home/opc_op:/usr/bin/kshtftp:*:510:8:Trivial FTP user:/usr/tftpdir:/usr/bin/falsensmail:*:110:101:NetScape Mail,,,:/home/nsmail:/usr/bin/shmailsrv:*:102:101:Netscape Mail Server,,,:/home/mailsrv:/usr/bin/shunidata:*:204:200:unidata user:/home/unidata:/usr/bin/kshExample of the /etc/passwd file after conversion to TrustedNote the encrypted field is replaced with a “*”
22 HP-UX UNIX Security HP-UX with TCB (Trusted Mode) #ls -ld /tcb dr-xr-x--x 3 root sys Apr 29 13:36 /tcb#ls -ld /tcb/filesdrwxrwx--x 3 root sys Apr 29 13:36 /tcb/files#ls -ld /tcb/files/authdrwxrwx--x 55 root sys Apr 29 13:36 tcb/files/auth#cd /tcb/files/auth# lsA G M S Y e k q vB H N T Z f l r wC I O U a g m s xD J P V b h n system yE K Q W c i o t zF L R X d j p u#ls –ld /tcb/files/auth/udrwxrwx root sys Aug 20 21:30 uNote the paths to the new location of the information on user accounts/tcb/files/auth – directory for each alphabetic character (upper and lower)Users are in these directories.Note the ownership and permissions for the /tcb/files/auth/u directory
23 HP-UX UNIX Security HP-UX with TCB (Trusted Mode) #cd u #ls -la total 8drwxrwx root sys Aug 20 21:30 .drwxrwx--x 55 root sys Apr 29 13:36 ..-rw-rw-r root root Aug 20 21:30 unidata-rw-rw-r root root Apr 29 13:36 ursetta-rw-rw-r root root Apr 29 13:36 uucp#cat unidataunidata:u_name=unidata:u_id#204:\:u_pwd=P36658YzF7/z6:\:u_auditid#22:\:u_auditflag#1:\:u_pswduser=unidata:u_suclog# :u_unsuclog# :u_unsuctty=pts/ta:\We are headed to the location where the unidata user id is located.Notice that each user is a file.There is a general security policy for all users in effect. These are the items that are unique for each user.Notice the user id 204 and encrypted password are just a couple of the more important itemsMan of prpwd will show all of the possible options.
24 HP-UX UNIX Security HP-UX & PAM/NTLM What is PAM? The pluggable authentication module (PAM) framework provides the ability to incorporate multiple authentication mechanisms into an existing system through the use of pluggable modules. The PAM framework consists of a library, pluggable modules, and a configuration file. “Out-of-the-box” HP-UX PAM is set of perform UNIX authentication, however other types can be plugged in, for example, NTLM and Kerberos 5, used by Windows Active Directory.Conceptauthenticate UNIX logins against Windows Active Directory, not the UNIX password filesNow we are switching to a completely different method of authentication/validation!New terms PAM and NTLM and Kerberos 5.PAM – Pluggable Authentication Module – HP-UX is PAM awareNTLM – NT Loadable Module – Older Windows compatibilityKerberos – Is a MIT developed Network authentication protocol. Stronger security than NTLMConcept is validate against ADWhat are we trying to do? A single point of control for both Windows AD and UNIX ids and passwords
25 HP-UX UNIX Security HP-UX & PAM/NTLM What are the prerequisites? CIFS/9000(Samba) must be:installedrunning in Domain Authentication modeUNIX server must have joined the DomainUNIX /etc/passwd file still has to exist and new users created on UNIX serverThis depends upon combinations of sufficient vs. requiredHow is it implemented?Replace and configure /etc/pam.conf filePrerequisites include:CIFS/9000 that we haven’t yet talked about. That is the next major topic after HP-UX UNIX Security.Still have to have UNIX users setup on the UNIX server. Can be un-trusted, shadow, or TCB.How these passwords are used are dependent on how PAM is configured
26 HP-UX UNIX Security Sample /etc/pam.conf HP-UX & PAM/NTLM # cat /etc/pam.conf## PAM Configuration# Account Managementdtaction account required /usr/lib/security/libpam_unix.1dtlogin account required /usr/lib/security/libpam_unix.1ftp account required /usr/lib/security/libpam_unix.1login account sufficient /usr/lib/security/libpam_ntlm.1login account required /usr/lib/security/libpam_unix.1su account required /usr/lib/security/libpam_unix.1OTHER account required /usr/lib/security/libpam_unix.1# Authentication Managementdtaction auth required /usr/lib/security/libpam_unix.1dtlogin auth required /usr/lib/security/libpam_unix.1ftp auth required /usr/lib/security/libpam_ntlm.1Sample /etc/pam.conf file.Notice the groups – Account, Authentication, Password, Session Management.PAM use new terms and concepts: stacked – meaning the order of execution is top downsufficient – means that if present it will use itrequired – self explanatoryAccount – for login having a AD account is sufficient but not necessary, if not AD account, then UNIX account is required
27 HP-UX UNIX Securitylogin auth sufficient /usr/lib/security/libpam_ntlm.1login auth required /usr/lib/security/libpam_unix.1 try_first_passsu auth required /usr/lib/security/libpam_unix.1OTHER auth required /usr/lib/security/libpam_unix.1## Password Managementdtaction password required /usr/lib/security/libpam_unix.1dtlogin password required /usr/lib/security/libpam_unix.1login password sufficient /usr/lib/security/libpam_ntlm.1login password required /usr/lib/security/libpam_unix.1passwd password required /usr/lib/security/libpam_unix.1OTHER password required /usr/lib/security/libpam_unix.1# Session Managementdtaction session required /usr/lib/security/libpam_unix.1dtlogin session required /usr/lib/security/libpam_unix.1login session required /usr/lib/security/libpam_unix.1OTHER session required /usr/lib/security/libpam_unix.1Authentication – for login, it will try AD authentication for userid, if it fails then it will try the Unix next, if it fails it will start over again with ADPassword management – for login, it will try AD password first, if it fails then it will try Unix next
28 HP-UX UNIX Security HP-UX & TCB & PAM/NTLM Concept Implementation authenticate user against Windows Active Directory while having the UNIX passwords in a secure locationImplementationThis is combination of two previously discussed methodsHere we have the granddaddy of them all.ConceptImplementation – This is a combo of the most secure UNIX password scheme and using a single point of password maintenanceWhat is advantages? Secure, complexWhat is disadvantage? Complex, might be overkill, still have to maintain UNIX users and passwordsCompatibility an issue? ftp will use PAM authentication. UniODBC is a problem. It doesn’t use PAM authentication, it still only uses the Unix password.
29 HP-UX UNIX File Sharing SAMBAWhat is it?Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Samba is software that can be run on a platform other than Microsoft Windows that allows the host to interact with a Microsoft Windows client or server as if it is a Windows file and print server.Now we are starting the 2nd Major Topic of this forum, UNIX File SharingWhat is Samba?Yes, it is a dance.Open source software that allows interaction between non-Windows platform and Windows.Runs in client and server mode.
30 HP-UX UNIX File Sharing CIFS/9000What is it?CIFS/9000 provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols. CIFS/9000 implements both the server and client components of the CIFS protocol on HP-UX.The current CIFS/9000 Server (version A.01.08) is based on the well-established open-source software Samba, version 2.2.3a, and provides file and print services to CIFS clients including Windows NT, XP, 2000 and HP-UX machines running CIFS/9000 Client software.Another new Term – CIFS/9000COMMON INTERNET FILE SYSTEM protocolHP’s implementation of SambaProvides file and print services, we mainly use the file services
31 HP-UX UNIX File Sharing CIFS/9000What is CIFS/9000 used for in ExcaliburEDGE software?Its main function in ExcaliburEDGE is to allow a Windows-based PC to map a network drive to a directory structure on a UNIX serverIt allows the Windows user the ability “drag ’n’ drop” files to and from the UNIX server to previously configured locationsWhy do we need CIFS/9000 or Samba?As previously stated, it is required by PAM/NTLMMap drive from PC to location on UNIX serverWhy is drive mapping to UNIX server important?To get or put files on the UNIX serverGetting data from the HOLD area, i.e. results of queries that will be imported into spreadsheets, , etc.Putting data into EDI, GL uploadsEDGE Help is Windows based, uses a CIFS/9000 share setup in ENV295Can use instead of ftp if properly configured
32 HP-UX UNIX File Sharing CIFS/9000How is it implemented?Preloaded on all new HP serversCan be installed from a HP supplied depot fileMay require HP-UX patches before installationHP has it preloaded on all new serversRequired on all UNIX servers for Sequel or EDGE
33 HP-UX UNIX File Sharing CIFS/9000ConsiderationsAuthentication optionsDomainUserShareHP-UX user idsids same as Windowsids different than WindowsSharingDefine UNIX directories to be sharedPermissionsRead onlyWriteNow that we know what it is and what it is used for, what are some of the things that we need to consider:Authentication – domain, user, share, Domain should be your only considerationUNIX ids – Should be same as Windows AD, if not then need to maintain a usermap.txt files that translates the idsShares – need to determine what to share. Be CAREFUL. Don’t share high level directories like, /sb or /sb/SB.EXC or /sb/SB.EXC/data. Be very specific for sharesPermissions on share directories – Determine your needs, only give what is needed.HOLD area might be read only so that modified HOLD files can’t be put back on serverThe GVMI.UPLOAD directory would have to be write since you are putting information into it
34 HP-UX UNIX File Sharing CIFS/9000Configurationsmb.confman smb.confHP-UX server joins the Domainman smbpasswdUsePCs use Windows Explorer to map drives to shares on UNIX serverHow do we configure this thing?The man pages for smb.conf gives you more than you everything you could possibly need to know. STS will assist.There is a HP-UX kernel parameter that is very important to allow CIFS/9000 to properly join or stay connected to the Windows AD.Windows Sysadmin has to setup a Domain machine account on the AD. Then HP admin has to join the Windows AD with smbpasswd commandWe have already talked about the uses.
35 HP-UX UNIX File Sharing CIFS/9000Sample /etc/opt/samba/smb.conf# Samba config file created using SWAT# from ( )# Date: 2003/06/18 15:01:33# Global parameters[global]workgroup = EAED1netbios name = HELIOSsecurity = DOMAINencrypt passwords = Yespassword server = devnt2username map = /etc/opt/samba/usermap.txtprintcap name = /var/opt/samba/printerslocal master = Nowins server =guest account = ftp[printers]path = /var/spool/lp/publicguest ok = Yesprintable = YesHere is an example of the smb.conf file.Note the location /etc/opt/samba. Also note the comments.What is SWAT? It is a web browser configuration utility for Samba. It is usually easier to use vi and edit the file with the editor.Notice the structure of the file:global, printers, homes, tmp, hold, GVMI_UPLOAD, alltests are called stanzasGlobalworkgroup is domain namenetbios name is computer namesecurity – DOMAIN means that it will use the AD to authenticate/validate a request for a share on the UNIX serverpassword server – the dns name of the AD password serverusername map is the name and location of the file to translate windows to UNIX userids if not same on both serverswins server – the AD wins server to resolve names
36 HP-UX UNIX File Sharing CIFS/9000Sample /etc/opt/samba/smb.conf (continued)[homes]comment = Home Directoriespath = /home/%Swriteable = Yescreate mask = 0775[tmp]comment = /tmp on heliospath = /tmpguest ok = YesThis is an example from a P2ES server.homes is a share. Every user can map a drive from their PC to their home directory on the UNIX server. Not much use since no EDGE files are written to home directoriestmp is very useful for transferring files to and from a UNIX server for the Administrator. Note that it is writeable and creates files with 775 permission
37 HP-UX UNIX File Sharing Sample /etc/opt/samba/smb.conf (continued)[hold]comment = /sb/SB.EXC/_HOLD_ on heliospath = /sb/SB.EXC/_HOLD_writeable = Yescreate mask = 0775guest ok = Yes[GVMI_UPLOAD]comment = /sb/SB.EXC/data/GL/GVMI_UPLOAD on heliospath = /sb/SB.EXC/data/GL/GVMI_UPLOAD[alltests]comment = /sb/SB.EXC/data/EDI/alltestspath = /sb/SB.EXC/data/EDI/alltestsThis is a continuation of the smb.conf file.This shows 3 of the most commonly used shares in EDGE. Note the case of the shares. Note the case of the directory paths, have to be valid. Be careful not to share high level directories. Note GVMI_UPLOAD is under data/GL and is specific to that folder. If a higher level, like GL was shared, users could accidentally delete your UTM or TH files. NOT GOODWrap-up – Very useful and powerful utility. Good case for open source software
38 ExcaliburEDGE Password Validation SetupsUserGroupMenusNow we are at the 3rd and last topic for this forum.EDGE runs on the SB+ development platform and has its own internal security setups.Will discuss user and group, menus will not be covered. Menu access is very specific and must be carefully designed and implemented.
39 ExcaliburEDGE Password Validation Default (as delivered by IBM)Authentication against the SB+ security filesPassword is validated against the SB+ encrypted passwordNo password composition rules are in effectNull password is allowedWhat happens behind the scene when you login to EDGE?Someone would already have setup a userid for you that would define what you have access to.The EDGE encrypted password is stored in a file and your login id and password are authenticated and validated against these files
40 ExcaliburEDGE Password Validation This is the user security setup screen that shows a password, but it is encrypted.
41 ExcaliburEDGE Password Validation SB SuppliedSB+ password validation can be turned by STS staffIt will enforce the following rules:1-Password that contains a sequence of letters or numbers of 3 or more, such as ABC, or 123.2-Password that contains repetitive characters of 3 or more, such as using the same letter 3 times in a row, like AAA.3-Password can not contain comma.4-Password can not be one of the last 10 password used.5-Password can not be all numeric.6-Password can not be null.7-Password can not be the same as the user id.8-Password must be between 4-50 characters.What if you don’t like the lack of password controls supplied by SB+?IBM has supplied a means of implementing a set of 8 predetermined rules that will be enforced.Go over the list.All but the last would be acceptable to IT auditors. 4 character passwords might not be acceptable.
42 ExcaliburEDGE Password Validation CustomSB Supplied rules + custom programmingLock account after a user defined number of unsuccessful triesCustom programmingMore stringent password composition rulesPlus rules 1-4 of the 8 SB supplied rulesWhat if you or your auditors want more than the 8 rules?IBM has supplied hooks into the system that allow for custom programming to define and implement user defined rules. Rules 1-4 of the SB+ supplied are retained, and then all of the user specified/designed/programmed rules are checked.If you need something more that the 8 rules, lets talk later.
43 REFERENCES Administering Your HP-UX Trusted System SAMBACIFS/9000Here are the references to TCB, SAMBA, CIFS/9000Thanks for coming. Please fill out your evaluations of this forum.