UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

userdb database must not be used to override the system-wide variables in the security file, unless required.


Overview

Finding ID Version Rule ID IA Controls Severity
V-40350 GEN000000-HPUX0200 SV-52330r1_rule DCSW-1 Medium
Description
The user database stores per-user information. It consists of the /var/adm/userdb directory and the files within it. A per-user value in /var/adm/userdb will override any corresponding system-wide default configured in the /etc/default/security file. Allowing per-user files to relax system-wide security settings creates potential security gaps that can compromise overall system security.
STIG Date
HP-UX SMSE Security Technical Implementation Guide 2014-02-28

Details

Check Text ( C-46983r1_chk )
If the system is operating in Trusted Mode, this check is not applicable.

For SMSE:
Check the /var/adm/userdb database for individual user settings:
# /usr/sbin/userdbget -a

If the “userdb” database is used exclusively to enhance/tighten the security requirements as defined in the /etc/default/security file (see the following example), this is not a finding.
Example: /etc/default/security requires a MIN_PASSWORD_LENGTH attribute setting of N=14 and specific per user attribute values in /var/adm/userdb are set to 15.

If any user information is returned that is greater than the required attribute setpoint in the/etc/default/security file (see the following example), this is a finding.
Example: /etc/default/security requires a MIN_PASSWORD_LENGTH attribute setting of N=14 and specific per user attribute values in /var/adm/userdb are set to 13.
Fix Text (F-45321r1_fix)
If the system is operating in Trusted Mode, no fix is required.

For SMSE:
Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file.

Delete any configured users from the /var/adm/userdb database:
# /usr/sbin/userdbset -d -u

Restart auditing:
# /sbin/init.d/auditing stop
# /sbin/init.d/auditing start