UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must display the date and time of the last successful account login upon login by means other than SSH.


Overview

Finding ID Version Rule ID IA Controls Severity
V-40493 GEN000000-HPUX0460 SV-52482r3_rule Medium
Description
Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.
STIG Date
HP-UX 11.31 Security Technical Implementation Guide 2018-03-01

Details

Check Text ( C-47029r3_chk )
Protected password database files are maintained in the /tcb/files/auth hierarchy. This directory contains other directories each named with a single letter from the alphabet. User profiles are stored in these directories based on the first letter of the user account name. Check the user attributes for the time and source of the last (successful and unsuccessful) login. This information is presented during login. All attributes are generated by the system in an integer format (system time). See the example commands below:

For successful logins:
# egrep "u_succhg#[0-9]+:" /tcb/files/auth/[a-z,A-Z]/*

For unsuccessful login attempts:
# egrep "u_unsucchg#[0-9]+:" /tcb/files/auth/[a-z,A-Z]/*


If any users are missing the above attributes or attribute integer data, this is a finding.

For SMSE:
Check for the following attribute and attribute value:
DISPLAY_LAST_LOGIN=1
# grep "DISPLAY_LAST_LOGIN" /etc/default/security /var/adm/userdb/*

If the DISPLAY_LAST_LOGIN attribute is set to 0, this is a finding.
Fix Text (F-45442r1_fix)
For Trusted Mode:
Use the SAM/SMH interface to ensure the attributes are added to all user /tcb profiles.

For SMSE:
Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file.

Use the SAM/SMH interface (/etc/default/security file) and/or the userdbset command (/var/adm/userdb/* files) to update attribute. See the below example:
DISPLAY_LAST_LOGIN=1

Note: Never use a text editor to modify any /var/adm/userdb database file. The database contains checksums and other binary data, and editors (vi included) do not follow the file locking conventions that are used to control access to the database.

If manually editing the /etc/default/security file, save any change(s) before exiting the editor.