QuickSpecs
The Tru64 UNIX Operating System, running Enhanced Security, is designed to meet, and in some cases exceed, the
requirements of the C2 evaluation class of DoD 5200.28-STD "Trusted Computer System Evaluation Criteria," also known
as the Orange Book.
Tru64 UNIX supports various configurations and setup scripts, which allow selection of such desired Enhanced Security
features as extended passwords, audit, and access control lists (ACLs).
System administrators can choose between command-line interfaces or GUIs.
Tru64 UNIX supports various configurations and setup scripts, which allow selection of such desired Enhanced Security
features as extended passwords, audit, and access control lists (ACLs).
Network Information Service (NIS) Compatibility
Tru64 UNIX provides support for accessing NIS distributed databases while running Enhanced Security. NIS can also be
used to distribute the Enhanced Security protected password database. The number of simultaneous logins allowed
depends on the configuration. Tru64 UNIX provides support for accessing NIS distributed databases while running
Enhanced Security. NIS can also be used to distribute the Enhanced Security protected password database. The number of
simultaneous logins allowed depends on the configuration.
Security Integration Architecture
All security mechanisms on Tru64 UNIX are part of the Security Integration Architecture (SIA), which isolates security-
sensitive commands from the specific security mechanisms. This eliminates the need to modify the security-sensitive
commands for each new security mechanism.
Secure Shell Software
— SSH V1.1 is bundled with the operating system and is based on Secure Shell Version 2.4.1
software. The Secure Shell software is a client/server software application that provides a suite of secure network
commands that can be used in addition to or in place of traditional network commands (such as telnet, ftp and the r*
commands). The Tru64 UNIX Secure Shell Version 1.1 software implementation is cluster aware and includes one of
a kind support for securing the srcmd libc function. When enabled it transparently secures any application that uses
the libc rcmd function including the r* commands (rsh, rcp, and rlogin).
Common Data Security Architecture (CDSA)
— CDSA has been integrated into the base operating system.
Tru64 UNIX includes the following C2 security features:
Discretionary Access Controls (DAC)
— Allows users to define how the resources they create can be shared.
Optional ACLs provide greater granularity of file system object protection at the individual user level than the default
DAC protection. The ACL mechanism is designed to POSIX.1e draft 13 with some draft 15 enhancements.
Auditing
— Allows users to monitor normal and unauthorized usage of a system with a choice of a GUI or command-
line interface.
Identification and Authentication
— Password length and lifetime are based on the Department of Defense
Password Management Guideline (Green Book). Features include extensive login controls, such as automatic account
lockout, account vacationing, per terminal settings for delays and maximum consecutive failed logins, password usage
history, and system-generated password.
Object Reuse
— Ensures that the physical storage that is assigned to shared objects or that is released prior to
reassignment to another user does not contain data from previous users.
Integrity
— Allows users to validate the correct operation of hardware, firmware, and software components of the
Trusted Computing Base (TCB).
System Architecture
— A separate execution domain is maintained for the Trusted Computing Base (TCB)
components using hardware memory management to protect the TCB while it is executing.
QuickSpecs
HP Tru64 UNIX Operating System Version V5.1B
Security
DA - 11939 U.S. QuickSpecs — Version 1 — 4/8/2004
Page 17