An error occurred:

Check: GEN001440

HP-UX 11.31 STIG: GEN001440 (in versions v1 r19 through v1 r13)

Title

All interactive users must be assigned a home directory in the /etc/passwd file. (Cat III impact)

Discussion

If users do not have a valid home directory, there is no place for the storage and control of files they own.

Check Content

Verify the consistency of the assigned home directories in the authentication database. For Trusted Mode: # authck -av If any user is not assigned a home directory, this is a finding. For SMSE: # pwck If any user is not assigned a home directory, this is a finding.

Fix Text

For Trusted Mode: Determine why the user is not assigned a home directory. Possible actions include: account deletion or disablement. If the account is determined to be valid, manually create the home directory if required (mkdir directoryname, copy the skeleton files into the directory, chown account name for the new directory and the skeleton files) and assign to the user in the /etc/passwd file or take corrective action via the HP SMH/SAM utility. For SMSE: Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file. Determine why the user is not assigned a home directory. Possible actions include: account deletion or disablement. If the account is determined to be valid, manually create the home directory if required (mkdir directoryname, copy the skeleton files into the directory, chown account name for the new directory and the skeleton files) and assign to the user in the /etc/passwd file or take corrective action via the HP SMH/SAM utility. Additionally, use the SAM/SMH interface (/etc/default/security file) and/or the userdbset command (/var/adm/userdb/* files) to update the ABORT_LOGIN_ON_MISSING_HOMEDIR attribute. See the below example: ABORT_LOGIN_ON_MISSING_HOMEDIR=1 Note: Never use a text editor to modify any /var/adm/userdb database file. The database contains checksums and other binary data, and editors (vi included) do not follow the file locking conventions that are used to control access to the database. If manually editing the /etc/default/security file, save any change(s) before exiting the editor.

Additional Identifiers

Rule ID: SV-38488r2_rule

Vulnerability ID: V-899

Group Title: GEN001440

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000225

The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-6

Least Privilege