HP-UX System Administrator's Guide: Security Management HP-UX 11i Version 3 HP Part Number: B3921-90020 Published: September 2010 Edition: 6
© Copyright 2010 Hewlett-Packard Development Company L.P Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this document, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Table of Contents About this Document....................................................................................................................15 I Protecting Systems......................................................................................................................21 1 Installing the HP-UX Operating Environment Securely..............................................................23 1.1 Installation Security Considerations........................................................
2.4.6 Eliminating Pseudo-Accounts and Protecting Key Subsystems in /etc/passwd..............................................................................................................45 2.4.7 Secure Login with HP-UX Secure Shell...........................................................46 2.4.8 Securing Passwords Stored in NIS..................................................................46 2.4.9 Securing Passwords Stored in LDAP Directory Server...................................46 2.
4 Remote Access Security Administration..................................................................................67 4.1 Overview of Internet Services and Remote Access Services...................................67 4.1.1 Securing ftp......................................................................................................68 4.1.2 Securing Anonymous ftp.................................................................................69 4.1.3 Denying Access Using /etc/ftpd/ftpusers.........
5.1.5 Locating and Correcting File Corruption Using fsck......................................90 5.2 Setting Access Control Lists.....................................................................................91 5.3 Using HFS ACLs......................................................................................................91 5.3.1 HFS ACLs and HP-UX Commands and Calls.................................................93 5.4 Using JFS ACLs...........................................................
6.4.3 IPC Rules........................................................................................................116 6.4.4 Network Rules...............................................................................................118 6.4.5 Miscellaneous Rules.......................................................................................119 6.4.6 Example Rules File.........................................................................................121 6.5 Configuring Compartments..........
.4 Planning the HP-UX RBAC Deployment..............................................................145 8.4.1 Planning the Roles.........................................................................................146 8.4.2 Planning Authorizations for the Roles..........................................................146 8.4.3 Planning Command Mappings......................................................................147 8.4.4 HP-UX RBAC Limitations and Restrictions....................................
.6 Using the Audit Filtering Tools.............................................................................176 9.7 Using filter.conf .....................................................................................................177 9.8 Using the Audit Reporting Tools...........................................................................177 9.8.1 Examples of Using the auditdp Command...................................................179 9.9 Viewing Audit Logs...................................
Index........................................................................................................................................
List of Figures 2-1 5-1 6-1 8-1 8-2 HP-UX Authentication Modules Under PAM............................................................35 File and Directory Permission Fields..........................................................................88 Compartment Architecture.......................................................................................110 HP-UX RBAC Architecture.......................................................................................
List of Tables 3-1 3-2 3-3 3-4 4-1 4-2 5-1 5-2 5-3 5-4 5-5 6-1 6-2 6-3 7-1 7-2 7-3 8-1 8-2 8-3 8-4 8-5 8-6 9-1 9-2 9-3 9-4 12 User Database Configuration Files.............................................................................63 User Database Commands..........................................................................................63 User Attributes............................................................................................................64 User Database Manpages........
List of Examples 2-1 5-1 5-2 Pseudo- and Special System Accounts........................................................................45 Creating an HFS ACL..................................................................................................93 Multiple HFS ACL Matches........................................................................................
About this Document Publication History The document publication date and part number indicate its current edition. The publication date will change when a new edition is released. To ensure that you receive the new editions, you should subscribe to the appropriate product support service. Contact your HP sales representative for details. You can find the various versions of this document at: http://www.hp.com/go/hpux-core-docs Click HP-UX 11i v3.
March 2008 Part Number 5992–3387 • Divided the document into three parts: Protecting Systems, Protecting Data, and Protecting Identity. • Added a chapter to document HP-UX Standard Mode Security Extensions (see Chapter 3). • Replaced Security Patch Check with Software Assistant. • Added a figure to show the HP-UX Bastille user interface. • Added the HP-UX Bastille configuration log file assessment-log.config. • Made various edits.
About This Document Set The HP-UX System Administrator’s Guide documents the core set of tasks (and associated concepts) necessary to administer systems running HP-UX 11i Version 3. It is comprised of the following volumes: Overview Configuration Management Logical Volume Management Security Management Routine Management Tasks Provides a high-level view of HP-UX 11i, its components, and how they relate to each other.
HP-UX 11i Release Names and Release Identifiers With HP-UX 11i, HP delivers a highly available, secure, and manageable operating system. HP-UX 11i supports enterprise, mission-critical, and technical computing environments and is available on both HP 9000 systems and HP Integrity servers. Each HP-UX 11i release has an associated release name and release identifier. The uname command with the -r option returns the release identifier.
Finding HP-UX Information The following table outlines where to find general system administration information for HP-UX. However, it does not include information for specific products. If you need to Refer To Located at Find out: • What has changed in HP-UX releases • The contents of the Operating Environments • Firmware requirements and supported systems for a specific release The HP-UX 11i Release Notes • HP Instant Information media specific to your version of • http://www.hp.com/go/ HP-UX.
• • • • • HP-UX AAA Server Administrator's Guide HP-UX Host Intrusion Detection System Administrator's Guide HP-UX IPFilter Administrator's Guide HP-UX IPSec Administrator's Guide HP-UX Secure Shell Release Notes Conventions This document uses the following typographical conventions. reboot(1M) An HP-UX manpage. reboot is the name and 1M is the section in the HP-UX Reference. On the Web and on the Instant Information media, it may be a hot link to the manpage itself.
Part I Protecting Systems One critical factor in enterprise security is system minimization and hardening. HP-UX 11i offers a set of security features designed to address known and unknown vulnerabilities by running only the services that are needed, thus minimizing a potential point of attack.
1 Installing the HP-UX Operating Environment Securely This chapter describes security considerations related to the boot and installation processes, including the following topics: • Installation security considerations (Section 1.1) • Preventing security breaches during the boot process (Section 1.2) • Enable login security for root (Section 1.3) • Using boot authentication to prevent unauthorized access (Section 1.4) • Setting Install-Time Security options (Section 1.
files are altered incorrectly or maliciously before the reboot, the system can have problems during and after the reboot. Therefore, perform these preventative tasks: • • • Make sure the system and system console are physically secure and that only authorized users have access. Enable the boot authentication feature to allow only specified users to boot the system to single user mode. See Section 1.4. Make sure system files are write protected; some might need to be read protected.
1.4 Using Boot Authentication to Prevent Unauthorized Access The boot authentication feature protects single-user mode boot with password authentication. It makes it possible to configure a system so that only authorized users are allowed to boot the machine into single-user mode. The boot authentication feature must be enabled before you reboot the system. Boot authentication is configured by two attributes in the /etc/default/security file: • • BOOT_AUTH enables or disables boot authentication.
Click HP-UX IPFilter Software. 1.6 Installing Security Patches Immediately after installation, apply the required and recommended patches using HP-UX Software Assistant (SWA). SWA is a command-line-based tool that consolidates and simplifies patch management and security bulletin management on HP-UX systems. The SWA tool replaces Security Patch Check (SPC), and is the HP-recommended utility to use to maintain currency with HP-published security bulletins for HP-UX software.
• • • • • • • Be aware that the frecover command allows you to overwrite a file. However, the file retains the permissions and ACLs set when the file was backed up. Test the recovery process beforehand to make sure you can fully recover data in the event of an emergency. When recovering files from another machine, you might have to execute the chown command to set the user ID and group ID for the system on which they now reside, if the user and group do not exist on the new system.
2 Administering User and System Security This chapter addresses basic user security after the operating system is installed. It focuses on logins, passwords, and other user interactions with the system. The following topics are discussed: • • • • • • • • • • • Managing user access (Section 2.1) Authenticating users during login (Section 2.2) Authenticating users with PAM (Section 2.3) Managing passwords (Section 2.4) Defining system security attributes (Section 2.
• • • • • Ensure that all users understand the security policies. Place a company security policies file in each home directory. Examine the /etc/passwd file or other appropriate user database for unused accounts, and especially for users who have left the company. Examine root accounts to see who has root access. Consider implementing HP-UX Role-based Access Control to minimize the risks associated with multiple users having access to the root account. For more information, see Chapter 8.
• • • • • • • User name Encrypted password User ID Group ID Comment field Home directory Login program Typically, the login program is a shell, such as /bin/sh, but it does not have to be a shell. You can create a captive account—an account that logs a user directly into an application—by identifying the application as the login shell. Following is an example of restricting a user to run only the date command. The /etc/passwd entry is: username:rc70x.
2.2.1 Explanation of the Login Process The following steps describe the login process. This information shows how important it is to create unique user names and to maintain a password security policy. For more information, refer to login(1). 1. 2. 3. After the system is installed, the desktop Login Manager displays a login screen. The Common Desktop Environment (CDE) displays a CDE login screen if it is installed. The init program spawns a getty process, which prompts you for a user name.
as /bin/ksh, /bin/csh, or /bin/sh. If the command field is empty, the default is /bin/sh. The command field does not have to be a shell. See Section 2.1.3 for an example of running another command. 8. After the shell initialization is complete, the system displays a prompt and waits for user input. You can have the login process perform further user authentication using the Pluggable Authentication Modules (PAM). For more information, see pam.conf(4) and Section 2.3. 2.2.
abcdeux console Mon Mar 12 10:13 - 10:19 (00:06) root pts/2 Fri Mar 9 13:51 - 15:12 (01:21) abcdeux console Thu Mar 8 12:21 - 12:22 (00:00) root pts/ta Wed Mar 7 15:38 - 18:13 (02:34) The following command lists when reboots have occurred: # last reboot reboot reboot reboot reboot reboot system system system system system boot boot boot boot boot Sun Sun Sun Thu Mon Mar Mar Mar Feb Feb 28 28 28 19 16 18:06 17:48 17:40 18:25 13:56 still logged in - 18:06 (00:17) - 17:48 (00:08) - 17:40 (37+23:15) - 1
Programs requiring user authentication pass their requests to PAM, which determines the correct verification method and returns the appropriate response. The programs do not need to know what authentication method is being used. See Figure 2-1 for an overview. Figure 2-1 HP-UX Authentication Modules Under PAM Authentication Services passwd su login telnet Request for Validation PAM Library UNIX DCE libpam_unix.1 Kerberos Use the PAM configuration file, /etc/pam.
2.3.2 PAM Libraries PAM service modules are implemented by shared libraries. PAM enables multiple authentication technologies to co-exist in HP-UX. The /etc/pam.conf configuration file determines which authentication module to use. The PAM libraries are as follows: • PAM_DCE The PAM_DCE modules enable integration of DCE into the system entry services (such as login, telnet, rlogin, ftp). The PAM_DCE modules provide functionality for the authentication, account management, and password management modules.
Click HP-UX 11i v3 Networking Software. • PAM_RADIUS The HP-UX PAM RADIUS module provides authentication and session management for PAM enabled applications (typically system entry services such as login and ftp) through RADIUS server using the pam.conf configuration file. The HP-UX PAM RADIUS module consists of the following two modules: — Authentication module — Session management module It also provides null function for account management.
-r--r--r-- 1 root sys 1050 Nov 8 10:16 /etc/pam.conf If this file is corrupt or missing from the system, root can log in to the console in single-user mode to fix the problem. The protected service names are listed in the system control file, /etc/pam.conf, under four test categories (module-type): authentication, account, session, and password. See pam(3), pam.conf(4), and pam_user.conf(4) for more information. 2.3.4 Sample /etc/pam.conf File Following is a partial listing of a sample /etc/pam.
login su su account required account required account required libpam_unix.so.1 libpam_hpsec.so.1 libpam_unix.so.1 2.3.5 The /etc/pam_user.conf User Configuration File The PAM configuration file, /etc/pam_user.conf, configures PAM on a per-user basis. This file is optional. It is needed only if PAM applications need to behave differently for different users. You assign different options to individual users by listing them in /etc/ pam_user.conf.
login • auth required /usr/lib/security/libpam_unix.1 If there are two or more systemwide login auth entries, such as the following, they are taken in order: login login auth auth required required /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_dce.1 In this case, the standard HP-UX login process is executed. Then the DCE authentication process occurs. If both are satisfied, then the login is successful. Both processes are performed, even if the user fails one of them.
2.4 Managing Passwords The password is the most important individual user identification symbol. With it, the system authenticates a user to allow access to the system. Because they are vulnerable to compromise when used, stored, or known, passwords must be kept secret at all times. The following sections discuss passwords in more detail. 2.4.1 System Administrator Responsibilities The system administrator and every user on the system must share responsibility for password security.
2.4.3 Criteria of a Good Password Observe the following guidelines when choosing a password and communicate these guidelines to users: • • • • • • • • Choose a password with at least 6 characters and no more than 80 characters. Special characters can include control characters and symbols, such as asterisks and slashes. In standard mode, only the first 8 characters are used. Do not choose a word found in a dictionary in any language, even if you spell it backwards.
# passwd -f user1 • Lock or disable an account: # passwd -l user2 • Enable password aging: # passwd -n 7 -x 28 user1 • View password aging status for a specific user: # passwd -s user • View password aging status for all users: # passwd -sa 2.4.4.2 The /etc/passwd File Format The /etc/passwd file is used to authenticate a user at login time. The file contains an entry for every account on the HP-UX system. Each entry consists of seven fields, separated by colons.
Use the following commands to enable, verify, and disable shadow passwords: • The pwconv command creates a shadow password file and copies the encrypted passwords from the /etc/passwd file to the /etc/shadow file. • The pwck command checks the /etc/passwd and /etc/shadow files for inconsistencies. • The pwunconv command copies the encryped passwords and aging information from the /etc/shadow file to the /etc/passwd file and then deletes the /etc/ shadow file.
NOTE: Shadow passwords are not supported with LDAP-UX. Instead, LDAP-UX provides the ability to hide user passwords in the directory server itself. LDAP-UX also enforces centralized security policies, similar to /etc/shadow, based on the security policy of the directory server. Shadow passwords are not supported by the applications that expect passwords to reside in /etc/passwd.
to the owner of the executable file. For example, the cancel command is part of the lp subsystem and runs as effective user lp. When the setuid is set, the security mediation of that subsystem enforces the security of all programs encompassed by the subsystem, not the entire system. Hence, the subsystem vulnerability to a breach of security is also limited to only those subsystem files. Breaches cannot affect the programs under different subsystems.
Boot attributes Switch user (su) attributes Audit attribute umask attribute These attributes control boot authentication, defining which users are authorized to boot the system into single-user mode. See boot authentication information in Chapter 1. These attributes define the PATH environment value, root group name for the su command, and whether or not su should propagate certain environment variables. See su(1) for more information. This attribute controls whether or not users are to be audited.
2.5.1 Configuring Systemwide Attributes The following steps explain how to define security attributes on a systemwide basis. 1. Review the security(4) manpage, which explains the configurable systemwide default values for attributes. These attributes are configured in the /etc/default/ security file, which is also explained in the security(4) manpage. If an attribute is not defined in the /etc/default/security file, then the default value defined in the /etc/security.dsc file will be used by the system.
You cannot use the userdbset command to configure all attributes. Some per-user values are defined in the /etc/passwd and /etc/shadow files. For more information, see security(4). 5. Use the userdbget command to get user information. 2.5.2.1 Examples of Defining User-Specific Attributes with userdbset In the following example, the userdbset command deletes all user-defined attributes for user joe. When joe logs in, the systemwide defaults in /etc/default/security will then apply to joe.
Problem 2: The user database is not functioning properly. user database, enter the following command: If you need to check the # userdbck The userdbck command identifies and repairs problems in the user database. 2.6 Handling setuid and setgid Programs Because they pose a potential security risk to the system, note which programs are setuid (set user ID) and setgid (set group ID) programs.
acquire their attributes from the object, giving the user the same access rights as the program's owner and group. • • • • If the setuid bit is turned on, the privileges of the process are set to that of the owner of the file. If the setgid bit is turned on, the privileges of the process are set to that of the group of the file. If neither the setuid nor the setgid bit is turned on, the privileges of the process are unchanged.
• • • • • • • • • • Know exactly what the setuid and setgid programs do, and verify that they do only what is intended. Failing this, remove the program or its setuid attribute. If you must copy a setuid program, make sure that the modes are correct on the destination file. Write setuid programs so that they can be tested on noncritical data, without setuid or setgid attributes.
to a program, thereby causing the program to execute arbitrary code from its program stack. The executable_stack kernel tunable parameter globally enables or disables stack buffer overflow protection. A setting of 0 (zero) causes stacks to be nonexecutable and is preferred for security reasons. By default, for backward compatibility, executable_stack is set to 1, which allows stack execution and therefore no protection. Use HP SMH or the kmtune command to change the value of executable_stack.
0 17 * * * /sbin/init 4 At 5:00 p.m. every day (the 17 in the previous example means 1700 hours or 5:00 p.m.), the system run level is changed to 4. The ttp1 and ttp2 terminals cannot operate after 5:00p.m. because they are at run levels 2 and 3. 2.8.2 Protecting Terminal Device Files If an intruder gains access to an open terminal, they can redirect a command to another terminal window.
2.8.3.2 Configuring the CDE Lock Manager You can configure the CDE lock manager to lock your screen after a certain amount of inactive time. To configure the CDE lock manager to lock the screen after 10 minutes of inactive time, enter the following commands: # cp /usr/dt/config/C/sys.resources /etc/dt/config/C/sys.resources # vi /etc/dt/config/C/sys.resources dtsession*lockTimeout: 10 You can also use the Style Manager task panel to adjust the CDE lock manager. To do this, click on the screen icon. 2.
accounting of user network access at the entry point to a network. See the HP-UX AAA Server Administrator's Guide for more information. 2.9.1 Controlling Access Using /etc/dialups and /etc/d_passwd For additional security in identifying remote users, add entries into the /etc/dialups and /etc/d_passwd files. These files are used to control the dialup security feature of login. See dialups(4) and login(1) for more information.
• • Modify the login banner defined in /etc/copyright and /etc/motd. Modify the telnet banner defined in/etc/issue. The telnetd -b banner file command defines a custom banner. To use /etc/issue as the login banner, add the following lines to the /etc/inetd.conf file: telnet stream tcp nowait root /usr/lbin/telnetd \ telnetd -b /etc/issue When inetd starts telnetd, the banner in /etc/issue is used. See inetd(1M), telnetd(IM), and inetd.conf(4) for more information.
The following sections discuss how to protect the root account in more detail. 2.11.1 Monitoring root Account Access If you have two or more system administrators that need root access, following are some suggestions for how to track them: • Allow only direct root logins on the system console. Create the /etc/securetty file with the single entry, console, as follows: #echo console > /etc/securetty This restriction applies to all login names that have a UID of zero (0). See login(1) for more details.
2.11.3 Reviewing Superuser Access The /var/adm/sulog file logs all attempts of the su root command including failures. Successful attempts are flagged with a plus (+) and failures are flagged with a minus (-). Only root can view the /var/adm/sulog file. For example: # su root Password: # ll /var/adm/sulog -rw------- 1 root root 690 Aug 17 19:37 /var/adm/sulog In the following example, userone has successfully used the su command to access root. A second user, usertwo, has not been successful.
3 HP-UX Standard Mode Security Extensions This chapter describes the HP-UX Standard Mode Security Extensions (HP-UX SMSE). The following topics are discussed: • Overview (Section 3.1) • Security attributes and the user database (Section 3.2) 3.1 Overview HP-UX Standard Mode Security Extensions (HP-UX SMSE) is a group of features that enhances both user and operating system security. HP-UX SMSE includes enhancements or changes to the HP-UX auditing system, passwords, and logins for systems in standard mode.
• • Usage of the userdbset command can be restricted based on a user’s authorizations. See userdbset(1M) for more information. The userstat command displays the account status of local users. It checks the status of local user accounts and reports abnormal conditions, such as account locks. See userstat(1M) for more information. 3.2 Security Attributes and the User Database Previously, in standard mode, all HP-UX security attributes and password policy restrictions were set on a systemwide basis.
2. To change a systemwide default, edit the /etc/default/security file with a text editor such as vi. Comments begin with a pound sign (#). Attributes are written in attribute=value format. For example, to set the systemwide minimum number of uppercase characters in a password to two (2), enter the following values into /etc/default/security: PASSWORD_MIN_UPPER_CASE_CHARS=2 NOTE: Changes to systemwide security attributes do not take effect immediately.
Table 3-3 User Attributes Attribute Description ALLOW_NULL_PASSWORD Allows or denies login with a null password. AUDIT_FLAG Audits or stops auditing the user. AUTH_MAXTRIES Defines the number of login failures allowed before a user is locked out of the system. DISPLAY_LAST_LOGIN Displays information about the user's last login. LOGIN_TIMES Restricts login time periods. MIN_PASSWORD_LENGTH Defines the minimum password length.
Table 3-4 User Database Manpages (continued) Manpage Description userdbck(1M) Describes userdbck functionality and syntax. userstat(1M) Describes the userstat functionality and syntax. 3.2.4 Configuring Attributes in the User Database In previous HP-UX systems, security attributes and password policy restrictions were set a systemwide basis. With HP-UX SMSE, you can configure some security attributes on a per-user basis. Attributes configured per-user override systemwide configured attributes.
4 Remote Access Security Administration HP-UX provides several remote access services, such as file transfer, remote login, remote command execution, management of IP addresses and network clients, routing protocols, mail exchange, network services, and a security mechanism spawned by inetd, the Internet super daemon. This chapter discusses the following topics: • Overview of internet services and remote access services (Section 4.1) • The inetd Daemon (Section 4.
Table 4-1 Internet Services Components and Access Verification, Authorization, and Authentication (continued) Internet Services Component Access Verification, Authorization, or Authentication Mechanism rlogin (remote login) Password verification or entry in $HOME/.rhosts or /etc/hosts.equiv file. Also can use Kerberos authentication mechanism defined in /etc/ inetsvcs.conf. See rlogin(1). telnet (remote login using Password verification.
4.1.2 Securing Anonymous ftp If a $HOME/.rhosts file is put into /home/ftp, then an unauthorized user could use rlogin to log in as the user, ftp. The .rhosts file specifies hosts and users that are allowed access to a local account using rcp, remsh, or rlogin without a password. For more information, see hosts.equiv(4).
4.1.4 Other Security Solutions for Spoofing Spoofing is a method of pretending to be a valid user or host to gain unauthorized access to a system. Because IP addresses and hostnames can be spoofed, using the /var/adm/inetd.sec security file for inetd (the internet daemon) is not a guaranteed security solution. See Section 4.2 for information about inetd.
4.2 The inetd Daemon The Internet daemon, /usr/sbin/inetd, is the master server for many Internet Services. The inetd daemon is usually started automatically by the /sbin/init.d/inetd script as part of the boot process. The inetd daemon monitors for connection requests for the services listed in the /etc/ inetd.conf configuration file, and spawns the appropriate server on receiving a request. In other words, users connect to remote systems by using an Internet Service, such as telnet.
• • • • • Enable inetd logging in /etc/rc.config.d/netdaemons. For more information, see rc.config.d(4). Review /etc/inetd.conf and /etc/services for changes. An unauthorized user might have gained root access and modified the /etc/services and /etc/ inetd.conf files. In /etc/inetd.conf, look for names of services you are not using. In /etc/services, look for port numbers that are not registered with the Internet Assigned Numbers Authority (IANA) at http://www.iana.org.
Click HP-UX 11i v3 Networking Software. You can also see the following manpages: tcpd(1M), tcpdmatch(1), tcpdchk(1), tcpd.conf(4), hosts_access(3), hosts_access(5), and hosts_options(5). When you enable TCP Wrappers, inetd runs a TCP wrapper daemon, tcpd, instead of running the requested service directly. The TCP Wrappers work as follows: 1. 2. 3. 4. 5. Clients send connection requests to inetd as they normally do, for example, telnet.
Secure Internet Services is part of the HP-UX Internet Services product, which is documented in Using HP-UX Internet Services: http://www.hp.com/go/hpux-networking-docs Click HP-UX 11i v3 Networking Software. You can also see the following manpages: sis(5), kinit(1), klist(1), kdestroy(1M), krbval(1M), k5dcelogin(1M), inetsvcs_sec(1M), and inetsvcs(4). When you run SIS commands, the security is enhanced because you no longer have to transmit a password in readable form over the network.
3. 4. 5. 6. Verify that each node in the administrative domain does not extend privileges to any nodes that are not included. Repeat steps 2 and 3 for each node in the domain. Control root and local security on every node in the administrative domain. A user with superuser privileges on any machine in the domain can acquire those privileges on every machine in the domain. Maintain consistency of user name, uid, and gid among password files in the administrative domain.
• /etc/protocols List of protocol names and numbers. For more information, see protocols(4). • /etc/services List of official service names and aliases with the port number and protocol that the services use. For more information, see services(4). 4.6 Securing Remote Sessions Using HP-UX Secure Shell (SSH) HP-UX Secure Shell is based on the OpenSSH product, an open source SSH product (http://www.openssh.org).
• Port forwarding The redirection of TCP/IP connections between a client and a remote host (and back) is referred to as port forwarding or SSH tunneling. HP-UX Secure Shell supports port forwarding. For example, ftp traffic between a client and a server (or email traffic between an email client and a POP/IMAP server) can be redirected using port forwarding.
Table 4-2 Software Components of HP-UX Secure Shell (continued) Component Description Location Equivalent non-secure component(s) ssh-add Tool for making key pairs of the client known Client to ssh-agent Not applicable ssh-keygen Tool for generating key pairs for public key authentication Client Not applicable ssh-keyscan Tool for a client to gather the public keys for Client a set of hosts running the Secure Shell daemon (sshd) Not applicable ssh-keysign Tools to generate the digital signatu
• of child sshd processes running on the server doubles if privilege separation is enabled on the server. See Section 4.6.4. On the server system, for each command execution request from a ssh client, the corresponding child sshd process spawns a shell process, and uses a UNIX pipe to communicate the command request to this shell process. This shell process returns the command execution results to the child sshd process using the UNIX pipe and terminates when the command execution is complete. 4.6.3.
Most remote command execution requests from the client are nonprivileged, and are handled by a shell spawned under this nonprivileged child sshd process. When the nonprivileged child sshd process needs a privileged function to be executed, it communicates with its privileged parent sshd process using a UNIX pipe. Privilege separation helps contain potential damage from an intruder.
The authentication methods supported by HP-UX Secure Shell are summarized in the following sections. 4.6.5.1 GSS-API With the Generic Security Service application Programming Interface (GSS-API), a Kerberos-based client authentication, the client must obtain Kerberos credentials in advance, and also have a Kerberos configuration file present in the appropriate client directory. When a client connects with an sshd daemon, it presents its credentials at connection time.
method enables client environments to restrict the servers that they will communicate with. Implement this restriction by creating a .rhosts file in the client's home directory. 4.6.5.4 Password Authentication The password authentication method relies on the existence of a single user ID and password-based login. This login could be based on the user's login specified in /etc/ passwd, or it could be PAM-based. HP-UX Secure Shell is fully integrated with PAM modules available on the server system.
authentication. See pam.conf(4) for more information about the /etc/pam.conf file. • Use of /etc/default/security file This is a systemwide configuration file that contains attributes defining the behavior of login, passwords, and other security configurations. HP-UX Secure Shell allows use of these attributes with some restrictions, which are explained in the /opt/ ssh/README.hp file for HP-UX Secure Shell. More information on the /etc/default/security file is in security(4).
The HP-UX Strong Random Number Generator is available by default. For more information, see random(7). 4.6.10 TCP Wrappers Support The HP-UX Secure Shell daemon, sshd, is linked with the archive library, libwrap.a, to support TCP Wrappers. See also Section 4.3. 4.6.11 chroot Directory Jail chroot is a directory jail. It starts up an application in a specified directory and restricts users to accessing that directory and the directories below it.
Part II Protecting Data HP-UX 11i offers data protection in many forms: protecting data in transit, in use, and at rest. By using security features designed to protect data in its three forms, HP-UX 11i customers can minimize possible breaches not only in terms of data loss, but in customer trust as well.
5 File System Security This chapter explains file system security. Before you read this chapter, you should have a basic understanding of files and file systems. Because data is stored in files, it is important to understand how to protect them. This chapter discusses the following topics: • Controlling file access (Section 5.1) • Setting access control lists (Section 5.2) • Using HFS ACLs (Section 5.3) • Using JFS ACLs (Section 5.4) • Comparison of JFS and HFS ACLs (Section 5.5) • ACLs and NFS (Section 5.
• • • u (user/owner) g (group) o (all others; also known as world) The r permission allows users to view or print the file. The w permission allows users to write (modify) the file. The x permission allows users to execute (run) the file or to search directories. Figure 5-1 shows the traditional permissions fields.
5.1.1 Setting File Access Permissions The chmod command changes the type of access (read, write, and execute privileges) for the file's owner, group members, or all others. Only the owner of a file or a user with the appropriate privileges can change file access. See chmod(1). By default, the initial set of read and write permissions for files and directories are determined by the creator's umask value. To change the default file permissions, use the umask command. See umask(1).
# chmod a+rwxt /mfgproj Setting the sticky bit is important for directories that are used for temporary files. In the event that a temporary directory is not set to sticky, an attacker may alter the expected behavior of user programs by waiting for a temporary file to be created and then deleting and recreating a new file with modified content, but the same name. In most cases, the application is unaware of the change and may unintentionally perform malicious acts on behalf of the attacker. 5.1.
even if the underlying data is lost or corrupted. Look for one or more of these other file problems: • • • • A user, program, or application deleted, overwrote, moved, or truncated the file or files. The file system associated with a particular directory when the file was created might not be mounted to that directory. A file or files were placed in a directory that now has a file system mounted to it. The files still exist but are not accessible. Unmount the file system to access the files.
IMPORTANT: You must use chmod with the -A option when working with files that have HFS ACL permissions assigned. Without the -A option, chmod will delete the ACL permissions from the file. The syntax is: # chmod -A mode file The chacl command is a superset of the chmod command. Any specific permissions you assign with the chacl command are added to the more general permissions assigned with the chmod command. When a file has ACLs, the ll command displays a plus sign (+) after the permission string.
Example 5-1 Creating an HFS ACL In this example, the chmod command restricts write permissions for myfile to only the user, allan. The chmod command also deletes any previous HFS ACLs. $ chmod 644 myfile $ ll myfile -rw-r--r-1 allan users 0 Sep 21 16:56 myfile $ lsacl myfile (allan.%,rw-)(%.users,r--)(%.%,r--) myfile The lsacl command displays just the default (no ACL) values, corresponding to the basic owner, group, and other permissions.
Table 5-2 HFS ACL Commands Commands Description chacl Changes HFS ACLs of files. getaccess Lists user's access rights to files. lsacl Lists HFS ACLs of files. Table 5-3 HFS ACL System Calls System Call Description getaccess Gets a user's effective access rights to a file. getacl, fgetacl Gets HFS ACL information. setacl, fsetacl Sets HFS ACL information. acltostr Converts HFS ACL structure to string form. chownacl Changes the owner or group represented in an HFS file's ACL.
Table 5-4 Commands and Calls Affecting ACL Entries (continued) Command or Call Description ls -l The long form indicates the existence of ACLs by displaying a plus sign (+) after the file's permission bits. mailx Does not support optional ACL entries on /var/ mail/* files. compact, compress, cp, ed, pack, unpack Copies ACL entries to the new files they create. frecover, fbackup Use only these commands to selectively recover and back up files.
5.4.2 How the System Generates a JFS ACL Whenever a file is created on a JFS file system, the system initializes a minimal JFS ACL for the file, containing a user entry for the owner permissions, a group entry for the owning group permissions, a class entry for the owning group permissions, and an other entry for the other group permissions. Additional entries can be added by the user, or as a result of default entries specified on the parent directory. 5.4.
5.4.5 JFS ACL group and class Entries In a file with a minimal ACL, the owning group and class ACL entries are identical. However, in a file with additional entries, the owning group and class ACL entries are distinct. The owning group entry grants permissions to a specific group: the owning group. The class entry is more general; it specifies the maximum permissions that can be granted by any of the additional user and group entries.
5.4.8 Example of Changing a Minimal JFS ACL To illustrate the function of the JFS ACL class entry, this section describes how chmod and setacl affect a file with a minimal JFS ACL and a file with group class entries. NOTE: Further details about the use of the getacl and setacl commands are in Section 5.4.10. Refer also to getacl(1) and setacl(1). Consider a file, exfile, with read-only (444) permissions and a minimal JFS ACL.
group::rwgroup:dev:r-x class:rwx other:rw- Next, the chmod command removes write and execute permission from group, and actually reduces the class permissions to read-only. The owning group permissions, while unchanged, are effectively reduced to read-only as well. $ chmod g-wx exfile $ getacl exfile # file: exfile # owner: jsmith # group: users user::rwuser:guest:r-group::rw# effective:r-group:dev:r-x # effective:r-class:r-other:rw- The other permissions are unchanged.
• • The corresponding nondefault ACL entries are created, so that the desired permissions are granted and denied for the directory, just as for any file created in the directory. The default entries themselves are copied, so that the new subdirectory has the same default ACL as the parent directory.
5.4.10.2 Using the -f Option If you are adding or changing several entries, you can use a different procedure. You can save the ACL to a file, edit the file, and then apply this new ACL to the file. For example, save the ACL to a file with this command: $ getacl junk > junk.acl Edit the file so that it appears as follows: $ cat junk.
user::rwgroup::rwgroup:dev:r-x class:rwother:rw- #effective r-- The group dev ACL entry is added as specified, but execute permission is not actually granted. Execute permission is denied by the class entry, and the class entry was not recalculated because -n was specified. If -n was not used, class would have been reset to class:rwx, and the effective comment would not be there. 5.5 Comparison of JFS and HFS ACLs JFS ACLs adhere to the POSIX ACL standard.
Table 5-5 HFS and JFS ACL Equivalents (continued) HFS Name JFS Equivalent setaclentry(3C) —none— strtoacl(3C) —none— —none— aclsort(3C) acl(5) aclv(5) 5.6 ACLs and NFS The Network File System (NFS) has no facility to pass ACL information about remote files. Therefore, ACLs are not visible on remote files by NFS. The ls -l command will not show that ACLs exist on a remote file, but the ACL control over access permissions remains effective.
— Write protect all disk special files from general users to prevent inadvertent data corruption. Turn off write access for group and other. — Read protect disk special files to prevent disclosure. Turn off read access for other.
file system if users can access the partition directly. If you do mount a partition as a file system, users could edit the underlying file system. Inform program users that the file's security is enforced by its permission settings rather than by the HP-UX file system. 5.9 Security Guidelines for Mounting and Unmounting File Systems The mount command enables you to attach removable file systems and disk or disk partitions to an existing file tree.
— Check all directories for privileged programs, and verify the identity of every program. — Remount the system read and write permissions and remove any unnecessary setuid and setgid permissions from files that you discovered in the previous step. These precautions are especially important if a user requests that you mount a personal file system. Only after performing these tests should you unmount the file system and remount it in its desired location.
5.10.2 Files Mounted in an NFS Environment A Network File System (NFS) provides the following conveniences: • • • Saves file space. Maintains consistent file usage. Provides a lean cooperative user environment. NFS streamlines filesharing between server and client systems by controlling access via the /etc/exports file. Entries in /etc/exports provide permission to mount a file system existing on the server onto any client machine or specified list of machines.
The violator can then go to the client, log in as an ordinary user, and, using NFS, open up the newly created server-side device special file and use it for devious means. 5.10.2.3 How to Safeguard NFS-Mounted Files Following are suggestions to safeguard NFS-mounted files: • • • • • • 108 If possible, make sure that the same person administers both client and server systems. Maintain uniformity of user ID and group ID for server and client systems.
6 Compartments This chapter describes the compartments feature of HP-UX 11i v3. This chapter addresses the following topics: • Overview (Section 6.1) • Planning the compartment structure (Section 6.2) • Compartment components (Section 6.3) • Compartment rules and syntax (Section 6.4) • Configuring a compartment (Section 6.5) • Troubleshooting compartments (Section 6.6) • Using discover mode to generate initial compartment configuration (Section 6.7) • Compartments in HP Servicegard Clusters (Section 6.
various parts of the system. The compartments on the system are configured so that the processes can access the resources they need.
• • The handler processes can communicate with the parent process, and with the recorder using IPC and signals. The network is isolated from the recorder and the parent process. This compartment configuration provides security for the file system and the recorder. Both are isolated by their compartments. Though the handler processes can communicate with the network, the network cannot be accessed by the recorder or the parent process. 6.1.
option. Instead, keep the compartment configuration files together and easy to locate. • Develop a separate compartment configuration for each component of the system. Unless there is a defined, specific software dependency between two components, do not mix rules for different components. One component compartment does not contain rules referring to compartments for another component.
6.3.2 Compartment Commands Table 6-2 contains the commands you use to manage compartments. Table 6-2 Compartment Commands Command Description cmpt_tune Queries, enables, and disables the compartments feature. setfilexsec Sets security attributes of binary files, including the compartment attribute. getfilexsec Displays security attributes associated with binary executable files, including the compartment attribute.
Table 6-3 Compartment Manpages (continued) Manpage Description compartments(4) Describes the HP-UX compartments files. pam_hpsec(5) Extended authentication, account, password, and session service module for HP-UX. 6.4 Compartment Rules and Syntax A compartment consists of a name and a set of rules. This section describes the four types of compartment rules: • • • • File system rules IPC rules Network rules Miscellaneous rules Add rules to a rules file you create in the /etc/cmpt directory.
sealed compartment server_children { /* Deny all access to any file system objects ... */ permission none / } NOTE: The INIT compartment name is not case sensitive. INIT, init, and Init are all treated as the same compartment by the system. Compartment specifications are preprocessed with cpp() before parsing begins. This is why you use cpp() directives such as #include, #define, #ifdef, and C-style comments to organize and document rules files. 6.4.
• • file_object unlink: Controls the ability to delete objects. This applies to directory objects only. This is inherited by all directories under the specified directory. nsearch: Controls the ability to search for an element if the file_object is a directory. This attribute is not inherited by subdirectories. The full path name of the file or directory.
• Method Specifies the method of communication this rule applies to. The options are: • • • • compartment_name access the specified IPC mechanism in the current compartment. access: Specifies a subject-centric rule. This rule allows processes in the current compartment to access the specified IPC mechanism in the compartment compartment_name. pty: Specifies that the rule applies to pty used in interprocess communication. fifo: Specifies that the rule applies to FIFOs.
For example: /* allow the parent to send signals to children */ send signal server_children 6.4.4 Network Rules Network rules govern access to network interfaces. Network rules also govern communication between processes that use INET domain communication (TCP/IP sockets and streams). The default behavior is to deny access to the network. Network endpoints are treated as objects labeled with the compartment of the process that creates them.
Protocol Specifies the networking protocol that applies to this rule. The options are: • tcp: This rule applies to the TCP protocol. • udp: This rule applies to the UDP protocol. • raw: This rule applies to any other protocol in the INET domain. protonum The protocol number specified for this rule. The protonum option is relevant only for raw specification. (Optional) Specifies that this rule applies to a specific port. Identifies the port specified in this rule.
NOTE: For stricter security policies, configure network interfaces in separate compartments from those assigned to processes. Define rules for network access for each compartment accordingly. Equal compartments are always granted full access to one another. The network interface rule syntax is as follows: compartment compartment_name { interface interface_or_ip[,interface_or_ip][...] } where: interface interface_or_ip[,interface_or_ip][...] Specifies that this is an interface definition.
/* Disallow mount only. */ disallowed privileges none,mount If privilege limitation rules are not specified for a compartment, the default privilege limitation is basicpolicy,mknod for every compartment except the INIT compartment. The INIT compartment default privilege limitation is none. 6.4.6 Example Rules File An example rules file is located in /etc/cmpt/examples/sendmail.example. 6.5 Configuring Compartments This section discusses the following topics: • Activating compartments (Section 6.5.
TIP: Keep the backup files; this makes it easier to revert to a prior configuration. 6.5.2 Defining a Compartment Configuration You can create new compartments and modify existing compartments without rebooting the system. If you enable or disable the compartment feature, or completely remove a compartment, you must reboot the system. However, if you remove all rules associated with a compartment and all references to that compartment, you can leave the compartment on the system until the next reboot.
compartment names. If you change the name of a compartment, you must reconfigure any applications configured in that compartment as well. NOTE: If you rename a compartment, you have essentially created a new compartment and removed the compartment with the old name. You must change all references to see the new compartment. The old compartment continues to exist on the system until a reboot. 6.5.
4. Use the following command to load rules into the kernel. : # setrules Problem 3: Access to a file is not functioning properly. Solution: If multiple hard links point to this file, the compartment rules configuration may contain inconsistent rules for accessing the file. To check for inconsistencies, follow these steps: 1. Execute the following command: # vhardlinks If the output shows an inconsistency, go on to step 2. 2. Modify the rules to remove the inconsistency.
6.8 Compartments in HP Serviceguard Clusters If you use compartments with HP Serviceguard, you must configure all Serviceguard daemons in the default INIT compartment. However, you can configure Serviceguard packages in other compartments. See the latest editions of Managing Serviceguard and Using Serviceguard Extension for RAC for daemons required in Serviceguard and Serviceguard extensions for Oracle Real Application Cluster (RAC). Serviceguard packages can belong to specific compartments.
NOTE: If a standby interface is configured in a compartment, running the setrules command applies this compartment to the standby interface even if it has been successfully switched from a primary interface. If the configured standby interface compartment does not match the primary interface compartment, the primary interface compartment is overwritten when you run setrules. This can cause security violations.
7 Fine-Grained Privileges This chapter describes the fine-grained privileges feature of HP-UX 11i . This chapter addresses the following topics: • Overview (Section 7.1) • Fine-grained privileges components (Section 7.2) • Available privileges (Section 7.3) • Configuring applications with fine-grained privileges (Section 7.4) • Security implications of fine-grained privileges (Section 7.5) • Fine-grained privileges in HP Serviceguard Clusters (Section 7.
Table 7-1 Fine-Grained Privileges Commands Commands Description setfilexsec Sets security attributes of binary files. The attributes include retained privileges, permitted privileges, compartment, and the privilege start flag. getfilexsec Displays security attributes associated with binary executable files. The attributes include retained privileges, permitted privileges, compartment, and security attribute flags. getprocxsec Displays security attributes associated with a running processes.
Table 7-3 Available Privileges (continued) Privilege Description PRIV_CHROOT Allows a process to change its root directory. PRIV_CHSUBJIDENT Allows a process to change its UIDs, GIDs, and group lists. Also allows a process to leave the suid or sgid bits set on the file when the chown() system call is used. PRIV_CMPTREAD Allows a process to open a file or directory for reading, executing, or searching, bypassing compartment rules that otherwise would not permit these operations.
Table 7-3 Available Privileges (continued) 130 Privilege Description PRIV_NETPRIVPORT Allows a process to bind to a privileged port. By default, port numbers 0-1023 are privileged ports. PRIV_NETPROMISCUOUS Allows a process to configure an interface to listen in promiscuous mode. PRIV_NETRAWACCESS Allows a process to access the raw internet network protocols. PRIV_OBJSUID Allows a process to set the suid or sgid bits on any file if the process has the OWNER privilege.
7.4 Configuring Applications with Fine-Grained Privileges Applications that are written or modified to support fine-grained privileges are called privilege-aware applications. You must register privilege-aware applications using the setfilexsec command. Once registered, the security attributes associated with a binary file are stored in a configuration file and maintain persistence across reboot.
7.4.1 Privilege Model Each process has three privilege sets associated with it: • Permitted Privilege Set The maximum set of privileges a process can raise. The process can drop any privilege from this set, but cannot add any privileges to this set. Privileges from this set can be added to the effective privilege set of the process. • Effective Privilege Set The set of currently active privileges for a process.
The following are compound privileges: • BASIC Basic privileges available to all processes by default. Processes may drop one or more privileges from this set. • BASICROOT Basic and privileges and privileges that provide powers usually associated with UID=0. • POLICY Policy override privileges and policy configuration privileges. Policy override privileges override compartment rules. Policy configuration privileges control how privileges are configured.
7.7 Troubleshooting Fine-Grained Privileges If something is not working on the system and you suspect the problem is occurring because of fine-grained privileges, you can check the fine-grained privileges configuration as follows. Problem 1: Even though fine-grained privileges are assigned to a binary file, processes that use exec() to access the binary are not receiving the assigned fine-grained privileges. Solution: Check for one of the following situations.
Part III Protecting Identity In modern day global enterprise companies, managing identity is not an easy task, especially as identity management requirements grow to include employees, contractors, partners and suppliers across many countries with various privacy protection laws and regulation. HP-UX 11i simplifies user authentication and access management, while auditing all privileged actions that take place.
8 HP-UX Role-Based Access Control The information in this chapter describes HP-UX Role-Based Access Control (HP-UX RBAC). This chapter addresses the following topics: • Overview (Section 8.1) • Access control basics (Section 8.2) • HP-UX RBAC components (Section 8.3) • Planning the HP-UX RBAC deployment (Section 8.4) • Configuring HP-UX RBAC (Section 8.5) • Using HP-UX RBAC (Section 8.6) • Troubleshooting HP-UX RBAC (Section 8.7) 8.
HP-UX RBAC offers the following features: • • • • Predefined configuration files specific to HP-UX, for a quick and easy deployment Flexible re-authentication via Plugable Authentication Module (PAM), to allow restrictions on a per command basis Integration with HP-UX audit system, to produce a single, unified audit trail Pluggable architecture for customizing access control decisions 8.
Table 8-1 Example of Authorizations Per User (continued) Operation Component of Authorization Users hpux.network.nfs.config • hpux.fs.backup • • hpux.fs.restore • • NOTE: Table 8-1 shows only the operation element of the authorizations—not the object element of the authorizations. 8.2.
Table 8-2 Example of Authorizations Per Role (continued) Operation Component of Authorization Role hpux.user.delete • • hpux.user.modify • • • hpux.user.password.modify hpux.network.nfs.start • • hpux.network.nfs.stop • • hpux.network.nfs.config • • hpux.fs.backup • • hpux.fs.restore • • NOTE: Table 8-2 shows only the operation element of the authorizations—not the object element of the authorization. 8.
SMH integration RBAC System Management Homepage (SMH) integration to allow the graphical management of the RBAC databases through a Web interface. The following sections discuss the HP-UX RBAC components in more detail. 8.3.
Table 8-3 HP-UX RBAC Configuration Files (continued) Configuration File Description /etc/acps.conf Configuration file for the ACPS. /etc/rbac/aud_filter Audit filter file identifying specific HP-UX RBAC roles, operations, and objects to audit. 8.3.3 HP-UX RBAC Commands Table 8-4 lists and briefly describes the HP-UX RBAC commands.
Table 8-5 HP-UX RBAC Manpages (continued) Manpage Description authadm(1m) Describes authadm functionality and syntax. cmdprivadm(1m) Describes cmdprivadm functionality and syntax. rbacdbchk(1m) Describes rbacdbchk functionality and syntax. privsh(5m) Overview of various privileged system shells. rbac.conf(4m) Configuration file for Role Based Access Control. key_filter(4m) Configuration file for the keystroke logging module. 8.3.
Figure 8-1 HP-UX RBAC Architecture /usr/sbin/ cmdprivadm privrun Command, Auth Privilege Database privedit PAM, Name Service Switch access - control aware application access - control aware application AC PS AP I Access Control Policy Switch (ACPS) PAM Service Modules User Information (for example /etc/passwd ) AC P S SP I Other Policy ACPM Local RBAC ACPM KEY : Privilege Wrapper Command s Access Control Switch Valid System Roles User Role Database Role Authorization Database Valid System A
Figure 8-2 Example Operation After Invoking privrun Authorizations Users MANY:MANY Roles /etc/rbac/user_role Operations 1:1 MANY:MANY Objects /etc/rbac/role_auth AC PS cmd, args, UID Cmd, Privs /etc/rbac/cmd_priv S ACP via via Process (shell ) MANY:MANY 3 4 Drop all but defined privs Privrun 2 Command w/ Privileges 5 1 1. 2. 3. 4. 5. A process, specifically a shell, associated with the user executes privrun with the goal of executing a target command with elevated privilege.
8.4.1 Planning the Roles Planning an appropriate set of roles for the users of a system is a critical first step in deploying HP-UX RBAC. In some enterprises, this set of roles already exists, and you can reuse it when configuring HP-UX RBAC. More commonly, you must design the roles based on the existing tasks associated with administrative users on the system.
# grep hpux.user. /etc/rbac/cmd_priv /usr/sbin/pwgrd:dflt:(hpux.user.cache.admin,*):0/0// :dflt :dflt :dflt : /usr/sbin/userdel:dflt:(hpux.user.delete,*):0/0// :dflt :dflt :dflt : /usr/sbin/groupdel:dflt:(hpux.user.group.delete,*):0/0// :dflt :dflt :dflt : /usr/sbin/useradd:dfl:(hpux.user.add,*):0/0//:dflt:dflt:dflt: /usr/sbin/usermod:dflt:(hpux.user.modify,*):0/0// :dflt :dflt :dflt : /usr/sbin/groupadd:dflt:(hpux.user.group.add,*):0/0// :dflt :dflt :dflt : /usr/sbin/groupmod:dflt:(hpux.user.group.
— You cannot run privedit on a file that is restricted by a compartment definition. — To provide a different application with fine-grained privileges, the privrun command must be running with those same privileges it wants to provide to the application. By default, privrun is configured to run with all privileges (see getfilexsec(1M) for more information). However, sometimes this default privilege set may be restricted.
Table 8-6 Example Planning Results Users Roles Authorizations Typical Commands (Note: Objects Assumed to Be *) chandrika, UserOperator rwang hpux.user.* /usr/sbin/useradd hpux.security.* /usr/sbin/usermod bdurant, prajessh NetworkOperator hpux.network.* /sbin/init.d/inetd luman Administrator hpux.* /opt/customcmd company.customauth 8.5.1 Configuring Roles Configuring roles for users is a two-step process: 1. 2. Create roles. Assign roles to users or groups. 8.5.1.
NOTE: See the roleadm(1m) manpage for more information. Following are two examples of the roleadm command adding new roles: # roleadm add UserOperator roleadm: added role UserOperator # roleadm add NetworkOperator roleadm: added role NetworkOperator NOTE: The default configuration files delivered with HP-UX RBAC contain a single preconfigured role: Administrator. By default, the Administrator role is assigned all HP-UX system authorizations (hpux.*, *) and is associated with the root user.
NOTE: HP-UX RBAC offers the ability to add a special user named DEFAULT to the /etc/rbac/user_role database. Assigning a role to the DEFAULT user means any user that does not exist on the system is assigned that role. 8.5.1.3 Assigning Roles to Groups HP-UX RBAC also enables you to assign roles to groups. You can use the roleadm command options that use the user value, such as roleadm assign user role and roleadm revoke user role to administer groups and roles.
| revoke [role=name][operation=name[object=name]] | list [role=name][operation=name[object=name][sys] The following is a list and brief description of the authadm command arguments: add delete assign revoke list Adds an authorization to the system list of valid authorizations in /etc/rbac/auths. Deletes an authorization from the system list of valid authorizations in /etc/rbac/auths. Assigns an authorization to a role and adds an entry to /etc/rbac/role_auth.
|[privs=comma_separated_privilege_list] |[re-auth=pam_service_name] |[flags=comma_separated_flags_list] cmdprivadm delete cmd=full_path_name_of_a_command | full_path_name_of_a_file |[op=operation]|[object=object] |[ruid=ruid]|[euid=euid] |[rgid=rgid]|[egid=egid] |[compartment=compartment_label] |[privs=comma_separated_privilege_list] |[re-auth=pam_service_name] |[flags=comma_separated_flags_list] The following is a list and brief description of the two main cmdprivadm command arguments: add delete Adds co
NOTE: See cmdprivadm(1M) for information on all of the cmdprivadm arguments. Most arguments are optional and are filled in with reasonable defaults if nothing is specified. NOTE: To modify an existing entry in the /etc/rbac/cmd_priv file, you must first delete the entry and then add the updated version back in. When you use cmdprivadm to delete entries, arguments act as filters. For example, specifying the cmdprivadm delete op=foo command removes all entries where the operation is foo.
example cmdprivadm command that configures the /usr/bin/ksh command to run with the BASICROOT compound privilege and that requires the (hpux.adm.mount, *) authorization: # cmdprivadm add cmd=/etc/mount op=hpux.adm.
NOTE: The privrun -p MOUNT /etc/mount command matches the BASICROOT privilege because the MOUNT simple privilege is part of the predefined BASICROOT compound privilege. See the privileges(5) manpage for more information about simple and compound privileges. IMPORTANT: The sequence of the entries in /etc/rbac/cmd_priv is important because privrun will execute according to the first explicit match it finds.
NOTE: Use only the cmdprivadm command to configure compartments for commands. Do not edit the /etc/rbac/cmd_priv database file without using cmdprivadm. To modify an existing entry in the /etc/rbac/cmd_priv file, you must first delete the entry and then add the updated version back in. When you use cmdprivadm to delete entries, arguments act as filters. For example, specifying the cmdprivadm delete op=foo command removes all entries in which the operation is foo.
-U -G -a -c -p -x -v -h -t Matches only those entries containing the real user ID (RUID) corresponding to the specified RUID or the RUID associated with the username. Matches only those entries containing the real group ID (RGID) corresponding to the specified RGID or the RGID associated with the group name. Matches only those entries requiring the specified authorization. Authorization is defined as (operation, object) pairs in the /etc/rbac/cmd_priv database file.
sequentially through the /etc/rbac/cmd_priv database, executing the first command the user is authorized for. In some cases, this may not be ideal. For example, all users may be allowed to run the passwd command to change their own password but if a user administrator runs it, they need the privileges to change other users' passwords.
NOTE: When you use privedit to invoke an editor to edit a file, the editor does not run with any elevated privileges. Because the editor privedit invokes does not run with elevated privileges, any attempted actions, such as shell escapes, run with the user's typical (non-elevated) privilege set. You can specify which editor privedit uses to edit the file by setting the EDITOR environment variable. If you do not set the EDITOR variable, privedit uses the default editor, vi.
NOTE: Remember that the flag values for each entry in the cmd_priv database dictate whether or not privedit can edit a file. See “Configuring Additional Command Authorizations and Privileges” and the privedit(1M) manpage for more information about flags and using the privedit command. 8.6.3 Customizing privrun and privedit Using the ACPS The HP-UX RBAC feature provides the ability to customize how privedit and privrun check user authorizations.
1. Create an entry (or entries) in the PAM configuration file (/etc/pam.conf) including the keystroke library as a session module: login dtlogin sshd rcomds OTHER 2. session session session session session optional optional optional optional optional libpam_keystroke.so.1 libpam_keystroke.so.1 libpam_keystroke.so.1 libpam_keystroke.so.1 libpam_keystroke.so.1 Note that this module may be configured for one or more services, depending on the intended effect of the logging. For more information on pam.
8.7.1 The rbacdbchk Database Syntax Tool The most common bugs are caused by manual editing of the HP-UX RBAC databases, resulting in syntactically invalid configurations or in configurations that are inconsistent between databases (for example, a role in /etc/rbac/user_role that is not defined in /etc/rbac/roles). To assist in diagnosing these common mistakes, HP-UX RBAC includes an rbacdbchk command.
9 Audit Administration The purpose of auditing is to selectively record events for analysis and detection of security breaches. The audit data is recorded in log files. Thus, the auditing system acts as a deterrent against system abuses and exposes potential security weaknesses.
• • Self-auditing (Section 9.10) HP-UX RBAC auditing (Section 9.11) 9.1 Auditing Components The auditing feature of HP-UX 11i contains configuration files, commands, and manpages. These are listed in the following sections. 9.1.1 Commands Table 9-1 contains a brief description of each auditing command. Table 9-1 Audit Commands Command Description audevent Changes or displays event or system call status. audfilter Loads, clears, and displays the audit filtering policy.
9.1.3 Audit Manpages Table 9-3 contains a brief description of each manpage associated with the auditing feature. Table 9-3 Audit Manpages Manpage Description audevent(1M) Describes audevent functionality and syntax. audisp(1M) Describes audisp functionality and syntax. audomon(1M) Describes audomon functionality and syntax. audsys(1M) Describes audsys functionality and syntax. userdbset(1M) Describes userdbset functionality and syntax. audit.conf(4) Describes the /etc/audit/audit.conf file.
1. 2. Determine which users to audit. By default, all users are selected for auditing. Determine which events or system calls to audit. Use the audevent command to display a list of events and system calls that are currently selected for auditing. Events and system calls can be grouped into profiles. For more information on profiles, see Section 9.4. 3. 4. Decide where you want to place the audit log files (audit trails) on the system.
c. Set SEC_AUDFILE to the name of the auxiliary log file. d. Set SEC_SWITCH to the maximum size of the secondary audit log file (in KB). For more information about setting up primary and auxiliary audit log files, see Section 9.5. 6. Start the audomon daemon if it has not yet been started. The audomon daemon monitors the growth of the current audit trail and switches to an alternative audit trail whenever necessary. For example: #audomon -p 20 -t 1 -w 90 -X "/usr/local/bin/rcp_audit_trail hostname" 7. 8.
#audsys -f The audsys -f command lets you stop the system auditing while keeping the audomon daemon running. 4. (Optional) Set the AUDIT flag to 0 in the /etc/rc.config.d/auditing file to keep the auditing system from starting at the next system reboot. 9.2.5 Performance Considerations Auditing increases system overhead. When performance is a concern, be selective about what events and users are audited. This can help reduce the impact of auditing on performance. 9.2.
command userdbset -u AUDIT_FLAG=1 or userdbset -d -u AUDIT_FLAG for each of those users. By default, auditing is enabled for all users when the audit system is turned on. New users added to the system are automatically audited. If auditing is turned off for all users, set AUDIT_FLAG=1 in the /etc/default/ security file. • Do not audit any users. Perform the following steps to disable auditing for all users: 1.
self-auditing events, and system calls) that affect a particular type of system. An event category consists of a set of operations (self-auditing events and system calls) that affect a particular aspect of the system. Once an event category or a profile is selected, all system calls and self-auditing events associated with the event category or profile are selected. When the auditing system is installed, a default set of event classification information is provided in the /etc/audit/audit.conf file.
To configure the events associated with the basic profile for auditing, use the following command: # audevent -P -F -r basic Both Audit Success and Audit Failure are set as event types for monitoring successful and failed events or system calls. Monitoring these three event categories is the minimum event type selection recommended for running a system. Generally, a record is written only if both the event is selected for auditing, and the user initiating the event has been selected for auditing.
NOTE: 1. With HP-UX 11i version 3, an auxiliary audit trail does not need to be specified; the auditing system does switching of audit trails automatically. 2. If autoswitching failed and the current audit trail continues to grow past the FSS point, all auditable actions are suspended for regular users. The system can be restored by archiving the audit data, or specifying a new audit log file on a file system with space. 3.
9.5.2 Monitoring and Managing Audit Trails The audit overflow monitor daemon (audomon) is used to monitor and manage audit trails. The audomon daemon is started automatically when auditing is started at system boot time (AUDITING=1 in /sbin/init.d/auditing). The audomon daemon can also be started by a privileged user. Once started, the audomon daemon monitors the capacity of the current audit trail and the file system it resides on.
-t sp_freq -w warning -X command The minimum wakeup interval, in minutes, at which the system prints warning messages on the console for audit log file switch points. The default sp_freq value is 1 minute. The percentage of audit log file space used or minimum file system free space used after which warning messages are sent to the console. The default warning value is 90%. The command is executed each time the audomon switches the audit trail. For more information, see audomon(1M). 9.
-P -s syscall -z Displays audit filtering policy in preview mode as specified in the /etc/audit/filter.conf file. This option parses the /etc/audit/filter.conf file, checking for syntax and semantic errors, but makes no changes to the system. The rules will not be displayed the same way as they are written, but in the order they will be evaluated (that is, in the internal format). Restricts the display to the given system call. This option must be used with the -p or -P option.
• • • • An Audit DPMS service module, audit_hpux_raw, that reads raw audit data collected by the HP-UX auditing system. An Audit DPMS service module, audit_hpux_portable, that handles audit data that is portable across HP-UX systems, and good for retention purpose. Also a sample script, audit_p2l, that demonstrates how to convert the portable data into syslog-like messages. An Audit DPMS service module, audit_hpux_xml, that converts audit data into XML format.
-m module[source] -n nevents -o options -p [source] -r [source] -s filter_string Read audit data from the source using the specified Audit DPMS service module. The source is the pathname of a file where to read the data. If the source is omitted, auditdp reads the audit data from the standard input. Specify the number of events to display. If nevents is positive, process only the first nevents events. If nevents is negative, process only the last nevents events.
#auditdp -p portable -P portable2 -s "+event=login" • Extract exec events from a particular session and write to stdout: #auditdp -r /var/.audit/audit_trail -s "+sid=1234" -P | \ auditdp -p -s "+event=exec" or #auditdp -r /var/.audit/audit_trail -s "+sid=1234;+event=exec" 9.9 Viewing Audit Logs Auditing can generate a significant amount of data. Use the audisp command to select the data that you want to view: #/usr/sbin/audisp audit_trail NOTE: The audisp command will be obsolete in a future release.
9.9.
init lpsched fbackup ftpd remshd rlogind telnetd privrun privedit roleadm authadm cmdprivadm Change run levels, users logging off Schedule line printer requests Flexible file backup File transfer protocol daemon Remote shell server daemon Remote login server daemon Telnet server daemon Invokes legacy application.1 Allows authorized users to edit files.1 Edits role information.1 Edits authorization information.1 Edits command authorizations and privileges.
specified in a single entry. Only one authorization can be specified per role on each line; however, the * wildcard is supported. The following are the supported entries and format for the /etc/rbac/aud_filter file: role, operation, object The following list explains each of the /etc/rbac/aud_filter entries: role operation object Any valid role defined in /etc/rbac/roles. If * is specified, all roles can be accessed by the operation. A specific operation that can be performed on an object.
NOTE: For more information, see audit(5), audevent(1M), audsys(1M), and audisp(1M) to learn more about auditing HP-UX systems.
A Trusted Systems This appendix describes how to set up and manage a trusted system. This appendix discusses the following topics: • Setting up a trusted system (Section A.1) • Auditing a trusted system (Section A.2) • Managing trusted passwords and system access (Section A.3) • Guidelines for trusted backup and recovery (Section A.4) NOTE: Trusted Systems has been depreciated. HP-UX 11i v3 is the last release that supports this product. A.
5. 6. starts a new login session. See Chapter 9 for more information about audit tags. • Turns on the audit flag for all existing users. • Converts the at, batch, and crontab input files to use the submitter's audit ID. Verify that the audit files are on the system: 1. Use swlist -l fileset to list the installed file sets. Look for the fileset called SecurityMon, which contains the auditing program files. To reduce the listing, enter the following command:# swlist -l fileset | grep Security 2.
to compromise when used, stored, or known, passwords must be kept secret at all times. Also see Chapter 2 for password information. Security Administrator's Responsibilities The security administrator and every user on the system must share responsibility for password security. The security administrator performs the following security tasks: • Generates temporary passwords for new users. This password must be used for first login.
A.3.1.1 The /etc/passwd File A trusted system uses the /etc/passwd file to identify a user at login time. The file contains an entry for every account on the HP-UX system. Each entry consists of seven fields, separated by colons. A typical entry for /etc/passwd in a trusted system looks like this: robin:*:102:99:Robin Hood,Rm 3,x9876,408-555-1234:/home/robin:/usr/bin/sh The fields contain the following information (listed in order), separated by colons: 1.
• • • • • • • • • • • • • • • • • Minimum time between password change Password maximum length Password expiration time, after which the password must be changed Password lifetime, after which the account is locked Time of last successful and unsuccessful password changes Absolute time (date) when the account will expire Maximum time allowed between logins before the account is locked Number of days before expiration when a warning will appear Whether passwords are user-generated or system-generated Passwo
Minimum time The minimum time required between password changes. This prevents a user from changing the password and then changing it back immediately to avoid memorizing a new one. Expiration time A time after which a user must change that password at login. Warning time The time before expiration when a warning will be issued. Lifetime The time at which the account associated with the password is locked if the password is not changed.
Terminal login information on a trusted system is stored in the terminal control database, /tcb/files/ttys, which provides the following data for each terminal: • Device name • User ID of the last user to successfully log into the terminal • Last successful login time to the terminal • Last unsuccessful login time to the terminal • Number of consecutive unsuccessful logins before terminal is locked • Terminal lock flag Only superusers can access these trusted system databases and can set the entries using H
• Perform daily incremental and full weekly backups. Synchronize the backup schedule with the information flow in the organization. For example, if a major database is updated every Friday, you might want to schedule the weekly backup on Friday evenings. • If all files must be backed up on schedule, request that all users log off before you perform the backup. However, fbackup warns you if a file is changing while the backup is being performed.
B Other Security Products This appendix refers to the following additional security products, which are available for HP-UX: • “HP-UX AAA Server (RADIUS)” (page 193) • “HP-UX Bastille” (page 193) • “HP-UX Directory Server” (page 194) • “HP-UX Encrypted Volume and File System (EVFS)” (page 194) • “HP-UX HIDS” (page 194) • “HP-UX IPFilter” (page 195) • “HP-UX IPSec” (page 195) • “HP-UX LDAP-UX Integration” (page 195) • “HP-UX Secure Resource Partitions (SRP)” (page 196) • “HP-UX Secure Shell ” (page 196) • “H
B.3 HP-UX Directory Server A global directory service, HP-UX Directory Server (HPDS) provides an industry-standard, centralized directory service on which to build your intranet or extranet. Your HP-UX servers and other directory-enabled applications use the directory server as a common, network-accessible location for storing shared data such as user and group identification, server identification, and access control information.
• Provides continuous protection against both existing attack scenarios and unknown scenarios unlike other intrusion detection systems. It detects intrusions by using detection templates. Detection templates are the building blocks used to identify the basic types of unauthorized system activity or security attacks frequently found on enterprise networks. • Provides notification in the event of suspicious activity that might precede an attack.
groups (role-based membership), command-line and GUI-based (through HP SMH) user and group management, host and ssh key management, off-line mode, and more. For more information, see the HP-UX LDAP-UX Integration Software documentation: http://www.hp.com/go/hpux-security-docs Click HP-UX LDAP-UX Integration Software. B.
operations. By cryptographic wrapping, private keys can be rendered usable only on a specific platform with a specific embedded TPM. This is useful for ensuring against unauthorized use of private keys on platforms other than those intended by the key owners. A TCS-generated key is effectively restricted for use on a single platform. The TCS package provides an extensive set of library functions for application development.
Glossary 3DES Triple Data Encryption Standard. A symmetric key block encryption algorithm that encrypts data three times, using a different 56-bit key each time (168 bits used for keys). 3DES is suitable for bulk data encryption. AAA server Authentication, Authorization, and Accounting server. An AAA server provides authentication, authorization, and accounting services of user network access at the entry points to a network.
certificate A security certificate associates (or binds) a public key with a principal—a particular person, system, device, or other entity. The security certificate is issued by an entity, in whom users have put their trust, called a Certificate Authority (CA), which guarantees or confirms the identity of the holder (person, device, or other entity) of the corresponding private key.
DES Data Encryption Standard. Uses a 56-bit key for symmetric key block encryption. DES is suitable for bulk data encryption. DES has been cracked (data encoded using DES has been decoded by a third party). Diameter Base A protocol that provides authentication, authorization, and accounting (AAA) services based on the RADIUS protocol. The Diameter protocol provides the same functionality as RADIUS, with improved reliability, security and infrastructure. See also RADIUS.
HMAC Hashed Message Authentication Code. See also MAC. IKE The Internet Key Exchange (IKE) protocol is part of the IPsec protocol suite. IKE is used before the IPsec ESP or AH protocol exchanges to determine which encryption and/or authentication services will be used. IKE also manages the distribution and update of the symmetric (shared) encryption keys used by ESP and AH. See also ESP and AH. IPSec policy IPSec policies specify the rules according to which data is transferred securely.
other packet fields, such as IPv6 header types, upper-layer message types (for example, ICMP message types), and TCP connection states. PAM Pluggable Authentication Module. An authentication framework that allows system administrators to configure services for authentication, account management, session management, and password management for HP-UX utilities, such as the system login utility.
Role-Based Access Control See RBAC. RSA Rivest, Shamir, and Adelman. Public-private key cryptosystem that can be used for privacy (encryption) and authentication (signatures). For encryption, system A can send data encrypted with system B's public key. Only system B's private key can decrypt the data. For authentication, system A sends data with a digital signature, a digest or hash encrypted with system A's private key.
third-party attack In a third-party attack, the attacker intercepts packets between two attacked parties, A and B. A and B assume they are exchanging messages with each other, but are exchanging messages with the third party. The attacker assumes the identity of A to exchange messages with B, and assumes the identity of A to exchange messages with B. Also referred to as man-in-the-middle attack. transitive trust relationship Extending a trust relationship through other trusted entities.
Index Symbols /dev special device file security considerations for, 103 /etc/d_passwd file controlling access using, 56 /etc/default/security, 25 /etc/dialups file controlling access using, 56 /etc/ftpd/ftpusers file changing access with, 69 /etc/group file, 188 /etc/inetd.sec file, 72 /etc/pam.conf file, 35 configuring systemwide with, 37 /etc/pam_user.
boot authentication using, 25 boot processs gaining, 24 booting preventing security breaches during booting, 23 btmp file tracking failed logins with, 33 C CA (certificate authority) defined, 199 CDE Lock Manager configuring, 55 CDE Login Manager logging in with, 32 Certificate Revocation List (CRL), 200 chfn, 188 chmod command changing file access permissions with, 89 effect on class entries, 97 chown, 27, 188, 192 chroot jail, 84 chsh, 188 cmdprivadm, 152 examples, 153 syntax, 152 command login, 187 swli
putspwent, 191 G getacl command viewing ACLs with, 97 getdvagent function, 191 getfilexsec command, 113, 128 getprdfent function, 191 getprocxsec command, 113, 128 getprpwent function, 191 getprtcent function, 191 getpwent function, 191 getspwent function, 191 group account managing, 31 group ID (gid), 188 GSS-API SSH, 81 guest account monitoring, 30 H HFS, 91 HFS ACL and NFS, 103 commands and calls that work with, 93 compared with JFS ACL, 102 setting, 91 High Performance File System See HFS, 91 history
security considerations for, 104 Logical Volume Manager See LVM, 104 login banners securing, 56 login command, 32, 187 login process explanation of, 32 login tracking file, 33 lost+found directory, 27, 192 LVM, 104 M MAC, 202 managing file access, 87 managing passwords, 41 minimum time password aging, 189 mobile connection securing, 55 modem access security guidelines for managing, 55 mounting a file system securely, 105 N network administration, 75 controlling file security, 106 managing an administrativ
putpwent function, 191 putspwent function, 191 R random number generator, 83 recovery security guidelines for, 26 remote access security guidelines for managing, 55 Remote Access Services, 67 overview of, 67 remote procedure call See RPC, 73 remote sessions securing using SSH, 76 reuse password, 190 roleadm, 149 examples, 150 syntax, 149 roles configuring, 149 default, 150 groups, 151 guidelines for creating, 146 root drawbacks of, 137 root access gaining, 24 monitoring, 58 reviewing, 59 using Restricted S
system access security guidelines for remote, 55 system administration auditing guidelines, 170 auditing users, 165 authenticating users during login, 31 authenticating users using PAM, 34 backup guidelines, 26 controlling file security on a network, 106 defining security attributes, 46, 62 installing HP-UX securely, 23 installing security patches, 26 managing an administrative domain, 74 managing passwords, 41 managing remote access, 55 managing setuid and setgid programs, 50 managing user access, 29 mount
