The system must impose the same restrictions on root logins that are already applied to non-root users.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-40445	GEN000000-HPUX0220	SV-52432r2_rule	IAIA-1	Medium

Description
Best practices standard operating procedures for computing systems includes account management. If the root account is allowed to be configured without a password, or not configured to lock if there have been no logins to the root account for an organization defined time interval, the entire system can be compromised.

STIG	Date
HP-UX 11.23 Security Technical Implementation Guide	2015-06-12

Details

Check Text ( C-47005r2_chk )
If the system is configured for Trusted Mode, this check is not applicable. For Standard Mode with Security Extensions (SMSE): Check the /etc/default/security file for the following attribute(s) and attribute values: LOGIN_POLICY_STRICT=1 # grep “LOGIN_POLICY_STRICT” /etc/default/security If LOGIN_POLICY_STRICT=0, then the root user is not subject to the same login restrictions as non-root users. If no organizational exceptions for root are documented and LOGIN_POLICY_STRICT=0, then this is a finding.

Check Text ( C-47005r2_chk )

If the system is configured for Trusted Mode, this check is not applicable.

For Standard Mode with Security Extensions (SMSE):
Check the /etc/default/security file for the following attribute(s) and attribute values:
LOGIN_POLICY_STRICT=1
# grep “LOGIN_POLICY_STRICT” /etc/default/security

If LOGIN_POLICY_STRICT=0, then the root user is not subject to the same login restrictions as non-root users. If no organizational exceptions for root are documented and LOGIN_POLICY_STRICT=0, then this is a finding.

Fix Text (F-45394r2_fix)
If the system is operating in Trusted Mode, no fix is required. For SMSE: Edit the /etc/default/security file and add/modify the following attribute(s) and attribute values: LOGIN_POLICY_STRICT=1 Save the file before exiting the editor.