System Administration Guide
Chapter 1, Administering user accounts

Changing the system security profile

Changing the system security profile

You were asked to choose a security profile at installation time. It is possible to later select a different profile by using the Security Profile Manager located in the System/Security directory of the SCOadmin hierarchy.

Use the Current security profile button to change the profile and select Save from the Security menu to save the new profile. You may be asked to reboot your system before the change takes effect.


WARNING: After using lower security profiles it is possible to select the Improved or High defaults, but this does not mean your system conforms to the requirements of a C2 system. By definition, a C2 system must adhere to the requirements from initial installation. This is because modifications made to the system while at the lower level potentially violate those associated with the higher level.

These profiles are available:

High
recommended for systems containing confidential information and accessed by many users. Passwords are strictly controlled and assigned to users; users cannot choose their own. User accounts cannot be removed or reactivated. All C2 features are engaged and account database corruption results in a lockout of all users until the administrator fixes the problem.

Improved
recommended for systems accessed by groups of users who can share information. Password expiration is more lenient and users can choose their own passwords. LUIDs are not enforced, and user accounts can be removed or reactivated as desired. Account database corruption results in system lockout.

Traditional
Provided for compatibility with other UNIX systems. Passwords do not expire and standard System V password checking is used. Passwords are not required. Database corruption is handled transparently.

Low
Recommended only for systems which are not publicly accessible and which have a small number of cooperating users. No C2 features are engaged and no password checking is done. The /etc/shadow does not exist by default.
The High and Improved defaults are designed to meet the requirements set forth by the Department of Defense's Trusted Computer System Evaluation Criteria (also known as TCSEC or the Orange Book). 

You can change the security profile from the command line using relax(ADM). For example, this command sets the Improved profile:

relax improved

The security profiles are merely a set of values that can be customized as desired. If The security subsystem has been modified appears on the screen, that means that you have made changes to individual security parameters. Customized values are overwritten when you select a new profile.