Site Policies

You can specify the following site policies related to user activity using the cfg-utils utility:

To configure a setting for any of the following policies, run:

/opt/lce/tools/cfg-utils --set-sv <configuration attribute> '<value>'

For more information about the cfg-utils utility and its usage, see cfg-utils.

Audit Log Policy

You can configure the audit log policy to choose what user activities are logged, how often audit log backups are created, and whether the audit log is updated in real time.

You can view the complete audit log at any time by running user-utils --print-audit-log. For more information about the user-utils utility, see user-utils.

By default, LCE tracks the following user activities in the audit log:

  • account administration, such as adding and unlocking accounts
  • session-scope actions with failure outcome, such as login failures or users logged out involuntarily
Configuration Attribute Default Description
web_UI__account__audit_session_everything false

If enabled, LCE tracks the following additional activities:

  • session-scope actions with success outcome (logged in, logged out)
  • session tokens management actions (created token, destroyed token, ...)
audit_log__backup_destination_directory none

If a directory is specified, LCE saves the entire audit log to a file every audit_log_backup__interval__days days.

Note: The name of the audit log file includes the timestamp of when the file was created. For example: /mnt/backups-nas/compliance/Tenable/LCE_Audit_Log__2020May27_00h31m02s.txt.

audit_log__backup_interval__days 7 In days, sets how frequently LCE saves the audit file to the directory you specify using audit_log__backup_destination_directory.
audit_log__notify_updates false If enabled, LCE writes each audit log entry to the host's syslog as it is created in real time. Site administrators can use this setting to receive notifications of new audit log entries.

Password Format Policy

You can configure the password format policy to customize user password requirements.

Configuration Attribute Default Description
web_UI__password__minimum_length 4 Specifies the minimum number of characters that must be used when creating user passwords.
web_UI__password__enforce_complexity false

When enabled, user passwords must contain at least one of each of the following:

  • An uppercase letter
  • A lowercase letter
  • A numerical character
  • A special character

Password Reuse Policy

You can configure the password reuse policy to specify how long passwords can be used, how frequently the same password can be reused, and how much new passwords must differ from previously-used passwords.

Configuration Attribute Default Description
web_UI__password__minimum_lifetime__hours 0

Specifies the number of hours a user must wait before changing their password after the last non-administrative password change.

Note: Administrators can change another user's password at any time, regardless of this setting.

web_UI__password__max_lifetime__days 0 Specifies how frequently users must change their passwords. If a user has not changed their password before the specified number of days, the user account locks automatically. For more information, see Locked User Accounts.
web_UI__password__fewest_changes_ere_reuse 1 Specifies how frequently users can re-use the same password. By default, users cannot use the same password twice in a row. For example, if the value is set to 2, the user must use two other unique passwords before using the same password again.
web_UI__password__minimum_edit_distance 0 When set, requires new passwords to differ from previous passwords based on the edit distance value specified. New passwords must have at least x characters that differ from the previous password.

Login Session Policy

You can configure the login session policy to specify when user accounts are locked due to failed login attempts, set the maximum number of concurrent sessions per user, and set user accounts to be locked or logged out following a period of inactivity.

For more information about locked user accounts, see Locked User Accounts.

Configuration Attribute Default Description
web_UI__login__max_failures_during_window 0 Specifies the number of times a user can attempt to log in during the window specified by web_UI__login__failure_window_size__minutes-minute before their account is locked.
web_UI__login__failure_window_size__minutes 15 Specifies the login window during which users will have web_UI__login__max_failures_during_window chances to try logging in before their account is locked.
web_UI__login__max_concurrent_sessions 5 Specifies the maximum number of concurrent login sessions per user.
web_UI__account__lock_if_inactive__hours 0 When set, LCE locks the account of any user who has not been active (logged in an interacting with the LCE web UI) in the specified number of hours.
webserver__idle_session_timeout__minutes 60 Specifies the number of minutes a user can be idle before being automatically logged out.

If web_UI__login__max_failures_during_window > 0, LCE will automatically lock (see <link to About Locked Accounts section>) the account of any user who has attempted but failed to log in web_UI__login__max_failures_during_window times in a web_UI__login__failure_window_size__minutes-minute period.