userdb database must not be used to override the system-wide variables in the security file, unless required.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-40350	GEN000000-HPUX0200	SV-52330r1_rule	DCSW-1	Medium

Description
The user database stores per-user information. It consists of the /var/adm/userdb directory and the files within it. A per-user value in /var/adm/userdb will override any corresponding system-wide default configured in the /etc/default/security file. Allowing per-user files to relax system-wide security settings creates potential security gaps that can compromise overall system security.

STIG	Date
HP-UX 11.31 Security Technical Implementation Guide	2018-03-01

Details

Check Text ( C-46983r1_chk )
If the system is operating in Trusted Mode, this check is not applicable. For SMSE: Check the /var/adm/userdb database for individual user settings: # /usr/sbin/userdbget -a If the “userdb” database is used exclusively to enhance/tighten the security requirements as defined in the /etc/default/security file (see the following example), this is not a finding. Example: /etc/default/security requires a MIN_PASSWORD_LENGTH attribute setting of N=14 and specific per user attribute values in /var/adm/userdb are set to 15. If any user information is returned that is greater than the required attribute setpoint in the/etc/default/security file (see the following example), this is a finding. Example: /etc/default/security requires a MIN_PASSWORD_LENGTH attribute setting of N=14 and specific per user attribute values in /var/adm/userdb are set to 13.

Check Text ( C-46983r1_chk )

If the system is operating in Trusted Mode, this check is not applicable.

For SMSE:
Check the /var/adm/userdb database for individual user settings:
# /usr/sbin/userdbget -a

If the “userdb” database is used exclusively to enhance/tighten the security requirements as defined in the /etc/default/security file (see the following example), this is not a finding.
Example: /etc/default/security requires a MIN_PASSWORD_LENGTH attribute setting of N=14 and specific per user attribute values in /var/adm/userdb are set to 15.

If any user information is returned that is greater than the required attribute setpoint in the/etc/default/security file (see the following example), this is a finding.
Example: /etc/default/security requires a MIN_PASSWORD_LENGTH attribute setting of N=14 and specific per user attribute values in /var/adm/userdb are set to 13.

Fix Text (F-45321r1_fix)
If the system is operating in Trusted Mode, no fix is required. For SMSE: Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file. Delete any configured users from the /var/adm/userdb database: # /usr/sbin/userdbset -d -u Restart auditing: # /sbin/init.d/auditing stop # /sbin/init.d/auditing start