HP-UX System Administrator's Guide: Security Management HP-UX 11i v3 (B3921-90020, September 2010)
Table Of Contents
- HP-UX System Administrator's Guide: Security Management
- Table of Contents
- About this Document
- Part I Protecting Systems
- 1 Installing the HP-UX Operating Environment Securely
- 1.1 Installation Security Considerations
- 1.2 Preventing Security Breaches During the Boot Process
- 1.3 Enable Login Security for root
- 1.4 Using Boot Authentication to Prevent Unauthorized Access
- 1.5 Setting Install-Time Security Options
- 1.6 Installing Security Patches
- 1.7 Postinstallation Security Tips for Backup and Recovery
- 2 Administering User and System Security
- 2.1 Managing User Access
- 2.2 Authenticating Users During Login
- 2.3 Authenticating Users with PAM
- 2.4 Managing Passwords
- 2.4.1 System Administrator Responsibilities
- 2.4.2 User Responsibilities
- 2.4.3 Criteria of a Good Password
- 2.4.4 Changing the /etc/passwd Password File
- 2.4.5 The /etc/shadow Shadow Password File
- 2.4.6 Eliminating Pseudo-Accounts and Protecting Key Subsystems in /etc/passwd
- 2.4.7 Secure Login with HP-UX Secure Shell
- 2.4.8 Securing Passwords Stored in NIS
- 2.4.9 Securing Passwords Stored in LDAP Directory Server
- 2.5 Defining System Security Attributes
- 2.6 Handling setuid and setgid Programs
- 2.7 Preventing Stack Buffer Overflow Attacks
- 2.8 Protecting Unattended Terminals and Workstations
- 2.9 Protecting Against System Access by Remote Devices
- 2.10 Securing Login Banners
- 2.11 Protecting the root Account
- 3 HP-UX Standard Mode Security Extensions
- 4 Remote Access Security Administration
- 4.1 Overview of Internet Services and Remote Access Services
- 4.2 The inetd Daemon
- 4.3 Protection Against Spoofing with TCP Wrappers
- 4.4 Secure Internet Services
- 4.5 Controlling an Administrative Domain
- 4.6 Securing Remote Sessions Using HP-UX Secure Shell (SSH)
- 4.6.1 Key Security Features of HP-UX Secure Shell
- 4.6.2 Software Components of HP-UX Secure Shell
- 4.6.3 Running HP-UX Secure Shell
- 4.6.4 HP-UX Secure Shell Privilege Separation
- 4.6.5 HP-UX Secure Shell Authentication
- 4.6.6 Communication Protocols
- 4.6.7 HP-UX Secure Shell and the HP-UX System
- 4.6.8 Associated Technologies
- 4.6.9 Strong Random Number Generator Requirement
- 4.6.10 TCP Wrappers Support
- 4.6.11 chroot Directory Jail
- 1 Installing the HP-UX Operating Environment Securely
- Part II Protecting Data
- 5 File System Security
- 5.1 Controlling File Access
- 5.2 Setting Access Control Lists
- 5.3 Using HFS ACLs
- 5.4 Using JFS ACLs
- 5.4.1 Definition of a JFS ACL
- 5.4.2 How the System Generates a JFS ACL
- 5.4.3 Minimal JFS ACL
- 5.4.4 Additional JFS ACL user and group Entries
- 5.4.5 JFS ACL group and class Entries
- 5.4.6 Using the setacl and getacl Commands
- 5.4.7 Effect of chmod on class Entries
- 5.4.8 Example of Changing a Minimal JFS ACL
- 5.4.9 Default JFS ACLs
- 5.4.10 Changing JFS ACL with the setacl Command
- 5.5 Comparison of JFS and HFS ACLs
- 5.6 ACLs and NFS
- 5.7 Security Considerations for /dev Device Special Files
- 5.8 Protecting Disk Partitions and Logical Volumes
- 5.9 Security Guidelines for Mounting and Unmounting File Systems
- 5.10 Controlling File Security on a Network
- 6 Compartments
- 7 Fine-Grained Privileges
- 5 File System Security
- Part III Protecting Identity
- 8 HP-UX Role-Based Access Control
- 8.1 Overview
- 8.2 Access Control Basics
- 8.3 HP-UX RBAC Components
- 8.4 Planning the HP-UX RBAC Deployment
- 8.5 Configuring HP-UX RBAC
- 8.6 Using HP-UX RBAC
- 8.7 Troubleshooting HP-UX RBAC
- 9 Audit Administration
- 8 HP-UX Role-Based Access Control
- A Trusted Systems
- B Other Security Products
- B.1 HP-UX AAA Server (RADIUS)
- B.2 HP-UX Bastille
- B.3 HP-UX Directory Server
- B.4 HP-UX Encrypted Volume and File System (EVFS)
- B.5 HP-UX HIDS
- B.6 HP-UX IPFilter
- B.7 HP-UX IPSec
- B.8 HP-UX LDAP-UX Integration
- B.9 HP-UX Secure Resource Partitions (SRP)
- B.10 HP-UX Secure Shell
- B.11 HP-UX Trusted Computing Services
- B.12 Security Patches
- Glossary
- Index
Glossary
3DES Triple Data Encryption Standard. A symmetric key block encryption algorithm that encrypts data
three times, using a different 56-bit key each time (168 bits used for keys). 3DES is suitable for
bulk data encryption.
AAA server Authentication, Authorization, and Accounting server. An AAA server provides authentication,
authorization, and accounting services of user network access at the entry points to a network.
HP-UX provides AAA servers based on the RADIUS protocol and Diameter Base protocol.
ACL Access Control List. A list or database that defines what resources users or other principals can
access, and the type of access allowed.
AES Advanced Encryption Standard. A symmetric key block encryption algorithm. HP-UX IPSec
supports AES with a 128-bit key. AES is suitable for bulk data encryption.
AH Authentication Header. The AH provides data integrity, system-level authentication and can
provide antireplay protection. AH is part of the IPsec protocol suite.
asymmetric
key
cryptography
See public key cryptography.
auditing The selective recording of events for the analysis and detection of security breaches. The HP-UX
auditing system provides a mechanism to audit users and processes.
authentication
The process of verifying the identity of a subject (a user, host, device or other entity in a computer
network). Authentication is often a prerequisite to allowing access to resources in a system.
Alternatively, the process of verifying the integrity of data, or the identity of the party that sent
data.
Authentication Header
See AH.
authorization The process of evaluating access control information and determining if a subject (a user, host,
device, or other entity in a computer network) is allowed to perform an operation on a particular
resource, or object. Authorization is typically performed after a subject's identity is authenticated.
In the context of RBAC, authorization specifically refers to the pairing of an operation with an
object, and is also referred to as permission. See RBAC.
Bastille HP-UX Bastille is a system hardening and reporting program that enhances the security of the
HP-UX operating system by consolidating essential hardening and lock-down checklists from
industry and government security organizations, and making them accessible to administrators
in an easy to use package.
bastion host A computer system that protects an internal network from intruders. See also firewall and hardened
system.
buffer
overflow
attack
A method to attack a system by causing process errors, or by causing a process to execute malicious
code. This is typically achieved by overflowing an input buffer in the stack. This causes a memory
violation or other error that causes the process to terminate, or causes the process to execute
malicious code. See also stack buffer overflow attack.
CA Certificate Authority. A trusted third-party that authenticates users and issues certificates. In
addition to establishing trust in the binding between a user's public key and other security-related
information in a certificate, the CA digitally signs the certificate information using its private key.
199