Administering user accounts

Security profiles

A security profile is a set of pre-configured values for parameters that control the security behavior of your system, such as how long passwords last, or what privileges are assigned to users. Once you choose a profile, you can switch to another profile, or change any one of the dozens of parameters on an individual basis.

System security profiles

Security profiles

Security parameters Low Traditional Improved High

Passwords

Minimum weeks between changes 0 0 0 2

Expiration warning (weeks) - - 1 6

Lifetime (weeks) infinite infinite 24 12

Minimum length 1 3 6 8

Password required to login no yes yes yes

Logins

Maximum unsuccessful attempts before delay is started 99 99 5 3

Delay between attempts (secs) 0 10 20 20

Time to complete login (secs) 300 60 60 60

Weeks an account can be idle infinite infinite 50 50

Logging threshold for failures infinite infinite 5 1

Networking

Services disabled none none tftp mountd ypupdated rusersd walld sprayd tftp finger systat netstat shell login exec ftp telnet mountd ypupdated ruserd walld sprayd

Audit (if configured)

Action if audit write error disable disable shutdown shutdown

Action if audit log is full disable disable disable switch

Events audited id_auth priv process id_auth
priv process cov_chan id_auth
priv process device cov_chan audit id_auth
priv process device cov_chan audit file_access io_cntl printer sched

Other

root login on console only no no yes yes

Console <Ctrl><Alt><Del> allowed no no no no

su(1) use logged no no yes yes

Default umask[1] 022 022 027 077

UIDs reusable[2] yes yes yes yes

Users can schedule jobs allow allow deny deny

Home directory permissions 755 755 750 700

Restricted chown(1)[3] no no yes yes

Remote printing access allowed yes yes no no

Notes:

		Security profiles
Security parameters	Low	Traditional	Improved	High
Passwords
Minimum weeks between changes	0	0	0	2
Expiration warning (weeks)	-	-	1	6
Lifetime (weeks)	infinite	infinite	24	12
Minimum length	1	3	6	8
Password required to login	no	yes	yes	yes
Logins
Maximum unsuccessful attempts before delay is started	99	99	5	3
Delay between attempts (secs)	0	10	20	20
Time to complete login (secs)	300	60	60	60
Weeks an account can be idle	infinite	infinite	50	50
Logging threshold for failures	infinite	infinite	5	1
Networking
Services disabled	none	none	tftp mountd ypupdated rusersd walld sprayd	tftp finger systat netstat shell login exec ftp telnet mountd ypupdated ruserd walld sprayd
Audit (if configured)
Action if audit write error	disable	disable	shutdown	shutdown
Action if audit log is full	disable	disable	disable	switch
Events audited	id_auth priv process	id_auth priv process cov_chan	id_auth priv process device cov_chan audit	id_auth priv process device cov_chan audit file_access io_cntl printer sched
Other
root login on console only	no	no	yes	yes
Console <Ctrl><Alt><Del> allowed	no	no	no	no
su(1) use logged	no	no	yes	yes
Default umask[1]	022	022	027	077
UIDs reusable[2]	yes	yes	yes	yes
Users can schedule jobs	allow	allow	deny	deny
Home directory permissions	755	755	750	700
Restricted chown(1)[3]	no	no	yes	yes
Remote printing access allowed	yes	yes	no	no

These are located in /etc/profile and /etc/cshrc. A umask of 077 results in the creation of files that are readable only by the owner.
Deleted UIDs are reserved for 12 months to prevent assignment to a new user - See ``Limiting reuse of UIDs''.
For BSD/FIPS compatibility, use of the chown(1) function is restricted so that users cannot change file ownership.