policy
The policy command is used to configure and manage security policy settings for passwords, session timeout, cryptographic strength, and other security criteria for user accounts. These policies apply to all user accounts; therefore, it is recommended to set the policies before beginning to create accounts.
Security policies may be applied to bring the Makito X Series device to its Common Criteria (CC) evaluated configuration.
Note
The policy command can only be used by an administrator.
Synopsis
policy account set [disableinactive=no] [inactivitytimeout=90] |
Actions
| Action | Description |
|---|---|
| account set | Configures the Makito X device to automatically disable user accounts after the specified number of days of account inactivity. |
password set | Modifies the password policy parameters. A series of one or more |
session set | Modifies the session policy parameters. A series of one or more |
crypto set | Specifies the cryptographic policy. The |
| https set | Enables HTTP Strict Transport Security (HSTS). When enabled, HSTS forces web browsers to only contact the Web interface over HTTPS, instead of using HTTP. |
pname/all get | Displays the policy information for either the policy (i.e., password, session, or crypto) or the Makito X device. |
Parameters
| Parameter | Default | Description/Values |
|---|---|---|
crypto | ||
compliance | None | Specifies the required cryptographic compliance, either:
Note Either selection reinforces security for all management functions of the device in terms of cryptography. This setting takes effect upon the next reboot. |
sslv3 | See Note | Enables or disables SSLv3 as a supported TLS version: Yes, No Note SSLv3 is disabled on factory new systems. On upgraded systems, SSLv3 is enabled only if upgrading a system where no (None) cryptographic compliance is configured. SSLv3 can be enabled only if compliance is set to None. |
| Specifies which TLS (Transport Layer Security) versions are accepted from the HTTPS client. At least one TLS version must be enabled. | ||
tlsv1.0 | Yes | Enables or disables TLSv1.0 as a supported TLS version: Yes, No |
tlsv1.1 | Yes | Enables or disables TLSv1.1 as a supported TLS version: Yes, No |
tlsv1.2 | Yes | Enables or disables TLSv1.2 as a supported TLS version: Yes, No |
| https | ||
hsts | No | Enables or disables HTTP Strict Transport Security (HSTS). When enabled, HSTS forces web browsers to only contact the Web interface over HTTPS, instead of using HTTP. Note When preparing a Makito X Series device for hardening, you need to enable the HSTS policy. |
| account | ||
| disableinactive | no | Enables or disables automatic disabling of user accounts after the specified number of days of account inactivity: Yes, No |
| inactivitytimeout | 90 | Specifies the number of days (since the last login) after which the user account will be disabled: 1..365 days Disabled accounts can be re-enabled either via the “ Tip The system adds one (1) day (or 24hour grace period) to the setting configured by the user. |
| password | ||
quality | Basic | Specifies the required password strength, either:
|
minlen | 6 | Specifies the minimum password length. Range: 6..40 |
minuppers | See Note | (quality must be Strong) Specifies the minimum number of uppercase letters. Range: 0..40 Note Default is N/A if quality=Basic, 0 if quality=Strong. |
mindigits | See Note | (quality must be Strong) Specifies the minimum number of digits. Range: 0..40 Note Default is N/A if quality=Basic, 0 if quality=Strong. |
minsymbols | See Note | (quality must be Strong) Specifies the minimum number of symbols. Range: 0..40 Note Default is N/A if quality=Basic, 0 if quality=Strong. |
expiry | No | Enables or disables password expiration: Yes, No |
lifetime | 90 days | (expiry must be Yes) Specifies the number of days after which users must change their passwords. Range: 1..180 days |
| minlifetime | 0 | (quality must be Strong) Specifies the minimum number of days before a password can be changed, i.e., the minimum lifetime of the password. Range: 0 (no restriction)..7 days |
remember | 5 | (quality must be Strong) Saves the specified last number of passwords used for the Makito X device, and prevents users from changing their password to any password used within the specified history count. Range: 5..400 |
| session | ||
autologout | No | Enables or disables Auto-Logout after the specified length of time: Yes, No Note Enabling the Auto-Logout Session policy also limits the number of concurrent sign-ins per account to 4. |
idletimeout | 15 minutes | (autologout must be Yes) Specifies the maximum length of time the system must be idle before the user is logged out: Range: 1..1440 minutes |
| limitpwdretries | No | Enables or disables limiting the number of consecutive failed sign-in attempts by a user during the specified time period. This may be used to reduce the risk of unauthorized system access via user password guessing: Yes, No |
| maxpwdretries | 3 | (limitpwdretries must be Yes) Specifies the maximum number of consecutive failed sign-in attempts allowed during the specified time interval. Range: 3..10 |
| pwdfailinterval | 15 | (limitpwdretries must be Yes) Specifies the time period during which the consecutive failed sign-in attempts will be counted to lock out the account. Range: 5..60 minutes |
Examples
# policy crypto set compliance=NDPP11Sets the required cryptographic compliance to Network Device Protection Profile v1.1. |
# policy password set quality=strong minlen=10 minuppers=1 minsymbols=1Sets the password policy to be Strong, requiring passwords to be at least 10 characters in length, with one uppercase letter, one symbol. Passwords will expire in 30 days. |
# policy all getReturns policy information for the Makito X device such as: Crypto: |