policy

The policy command is used to configure and manage security policy settings. Policies are needed to define security criteria such as the required quality, length and composition of passwords. The security policies are: Password, Session, and Cryptographic Strength.

Security policies may be applied to bring the decoder to its CC evaluated configuration. During the hardening procedure, it is important for the administrator to set the policies before creating accounts.

Note

The policy command can only be used by an administrator.

Synopsis

policy password set [quality=basic] [minlen=6] [minuppers=0] [mindigits=0]
   [minsymbols=0] [expiry=yes] [lifetime=90] 
policy session set [autologout=yes] [idletimeout=15] 
policy crypto set [compliance=None] 
policy pname/all get

Actions

Action	Description
password set	Modifies the password policy parameters. A series of one or more `parameter=value` pairs can be specified at once. See password under Parameters below.
session set	Modifies the session policy parameters. A series of one or more `parameter=value` pairs can be specified at once. See session under Parameters below.
crypto set	Specifies the cryptographic policy. The `compliance` parameter can be specified. See crypto under policy Parameters below.
pname/all get	Displays the policy information for either the policy (i.e., `password`, `session`, or `crypto`) or the decoder.

Parameters

Parameter	Default	Description/Values
crypto
compliance	None	Specifies the required cryptographic compliance, either: None FIPS140: All management cryptography is operated in the FIPS 140-2 mode. NDPP11: Activates cryptographic security to a level compliant with the Network Device Protection Profile v1.1. SP800-52 Revision 1: Applies cryptographic modules accredited under the National Institute of Standards and Technology (NIST) Special Publication 800-52, Revision 1. Note Either selection will reinforce security for all management functions of the decoder in terms of cryptography. This setting will take effect upon the next reboot.
password
quality	Basic	The required password strength, either: Basic Strong
minlen	6	The minimum password length. Range: 6–40
minuppers	N/A if Basic -------------- 0 if Strong	(Password quality must be Strong) The minimum number of uppercase letters. Range: 0–40
mindigits	N/A if Basic -------------- 0 if Strong	(Password quality must be Strong) The minimum number of digits. Range: 0–40
minsymbols	N/A if Basic -------------- 0 if Strong	(Password quality must be Strong) The minimum number of symbols. Range: 0–40
expiry	No	Enables or disables password expiration: Yes, No
lifetime	90 days	(Password expiry must be Yes) The number of days after which users must change their passwords. Range: 1–180 days
remember	0	The number of stored passwords. Range: 5–400
session
autologout	No	Enables or disables Auto Logout: Yes, No
idletimeout	15 minutes	(autologout must be Yes) The maximum length of time the system may be idle before the user will be logged out. Range: 1–1440 minutes

policy Examples

# policy crypto set compliance=NDPP11

# policy password set quality=strong minlen=10 minuppers=1 minsymbols=1 expiry=yes lifetime=30

Sets the password policy for the decoder to be Strong, requiring passwords to be at least 10 characters in length, with one uppercase letter, one symbol. Passwords will expire in 30 days.

Related Topics

Managing Security Policies