Security profiles

A security profile is a set of pre-configured values for parameters that control the security behavior of your system, such as how long passwords last, or what privileges are assigned to users. Once you choose a profile, you can switch to another profile, or change any one of the dozens of parameters on an individual basis.

System security profiles

		Security profiles
Security parameters	Low	Traditional	Improved	High
Passwords
Minimum days between changes	0	0	0	14
Expiration time (days)	infinite	infinite	42	42
Lifetime (days)	infinite	infinite	365	90
User can choose own	yes	yes	yes	no
User can run generator	yes	yes	yes	yes
Maximum generated length	8	8	10	10
Minimum length	1	3	5	8
Password triviality checks	none	System V	goodpw weak[1]	goodpw strong[2]
Password obviousness checks	-	no	no[1]	yes[2]
Password required to login	no	no	yes	yes
Single user password required	yes	yes	yes	yes
Logins
Maximum unsuccessful attempts (account/terminal)	infinite	99	5/9	3/5
Delay between login attempts (secs) -- terminal only	0	1	2	2
Time to complete login (secs) -- terminal only	60	60	60	60
Authorizations
Primary	backup, lp, mem, terminal	mem, terminal,	none	none
Secondary	audittrail, queryspace, shutdown, su	audittrail, printqueue, queryspace, su	audittrail, queryspace, printqueue, su	queryspace
Privileges
	chmodsugid, chown, execsuid, suspendaudit	chmodsugid, chown, execsuid	chmodsugid, chown, execsuid	chown, execsuid
Default umask[3]	022	022	027	077
C2 Features
LUID enforcement[4]	no	no	no	yes
STOPIO on devices[4]	no	no	no	no
SUID/SGID clear on write[4]	no	yes	yes	yes
Users can be deleted[5]	yes	yes	no	no
Database corruption[6]	recover	recover	lockout	lockout
Database precedence[7]	System V	System V	TCB	TCB
Other
Users can schedule jobs	allow	allow	deny	deny
Home directory permissions	755	755	750	700
Dialup printers allowed	yes	yes	no	no
Hushlogin allowed[8]	yes	yes	yes	no
Password for asroot(ADM)	no	no	no	yes
Significant characters in passwords	8	8	80	80
su(C) use logged	no	yes	yes	yes
/etc/shadow present	no	yes	yes	yes

Notes:

1. Simple checks are made, such as ensuring at least three characters differ and that at least one character be non-alphabetic.

2. Thorough checks are made, including disallowing words that appear in the online dictionary.

3. These are located in /etc/profile and /etc/cshrc. A umask of 077 results in the creation of files that are readable only by the owner.

4. These features are explained in ``Disabling C2 features''.

5. A requirement central to C2 is that a user ID (UID) cannot be reused. This means that user accounts cannot be reused or reactivated after retirement. With the lower security profiles, user accounts can be removed rather than retired and user IDs can be altered or reused.

6. On a system that conforms to C2 requirements, users are locked out of a system when a security database becomes corrupted. This ensures that the system does not operate in a potentially non-secure state. In the lower defaults, the system attempts to correct inconsistencies automatically and displays a warning rather than locking out users.

7. Two sets of account databases are maintained: UNIX System V and trusted computing base (TCB) files. One set is used as a master when a discrepancy occurs. This is described in ``Configuring database precedence and recovery''.

8. This feature allows the suppression of login messages. See the login(M) manual page for information.