Updating WPAR
This section describes the procedure for making the workload partitions (WPAR) for AIX complaint to EAL4+.
Create the WPAR on a BAS system, and run
the following command in WPAR to make it EAL4+ compliant:
/usr/lib/security/CC_EVALify.shclogin on a LAS system for the
first time , the firstboot scripts run (that includes CC_EVALify.sh ).The
firstboot scripts cause
clogin to run longer than
usual when clogin calls TSM to login. However WPAR
is still in configuration mode, so the login is denied. You must wait
approximately for 10 minutes for WPAR to complete the configuration
before attempting another clogin. For newly created
WPAR systems, the default user options must be set to meet the evaluation
requirements that includes:rootin BAS modeisso/sa/soin LAS mode
root and isso users have
no password or require weak passwords. The passwords must be updated
before allowing untrusted users access to the global environment or
the respective WPAR.The evaluation password requirement is
that the probability of correctly guessing a password must be at least
one in 1,000,000, and the probability of correctly guessing a password
during repeated attempts within one minute must be at least one in
100,000. To comply with the requirement, the user parameters in /etc/security/user file
is changed to:
default:
maxage = 8
maxexpired = 1
minother = 2
minlen = 8
maxrepeats = 2
loginretries = 3
histexpire = 52
histsize = 20