Password policies - Trusted and Non-Trusted

sábado, 3 de março de 2012

Non-Trusted Systems
Configuration file used to set/get password policies:

/etc/default/security
/etc/shadow

There're few options to configure in a non-trusted system, like the Password expiration and number of weeks before the password can be changed again.
You can check the security (4) man page for more details.
If you are using a non-trusted system is recommended use at least shadow to improve the security so you can edit some rules individually using the passwd command, like the password age, check their man page. Use pwconv to enable shadow and use pwck to check /etc/passwd and /etc/shadow integrity.
The following attributes, defined in /etc/default/security, apply to shadow passwords:
INACTIVITY_MAXDAYS
Number of days before expiring an account for inactivity.
PASSWORD_MINDAYS
Minimum number of days before a password can be changed.
PASSWORD_MAXDAYS
Maximum number of days that passwords are valid.
PASSWORD_WARNDAYS
Number of days before warning users of password expiration.

Trusted Systems

Configuration file used to set password policies:

/etc/default/security
/tcb/files/auth/system/default
/tcb/files/auth/*

You have many option to configure in a Trusted System all those configuration files are ASC files, so you can edit it but isn't indicated do that, the best to do here is do through SAM.

The /tcb/files/auth/system/default is a file used as a global policies for all users, you can edit some policies to be applied individually, that is stored in the /tcb/files/auth/*. If a capability is not explicitly listed individually it will assume the default behavior for that capability as specified in the system-wide defaults file /tcb/files/auth/system/default..
There's another files external to TCB, /etc/default/security, that can be used to apply another policies, like the "PASSWORD_HISTORY_DEPTH", There are significantly more features available in the /etc/default/security file that do not need Trusted Systems to be configured (if the file doesn't exist, just create it).
You can check the security (4) man page for more details.

After change anything here, it's a good idea to check the consistency .
root@SERVER[/] authck -vp