HP-UX System Administrator's Guide: Security Management HP-UX 11i v3 (B3921-90020, September 2010)
Table Of Contents
- HP-UX System Administrator's Guide: Security Management
- Table of Contents
- About this Document
- Part I Protecting Systems
- 1 Installing the HP-UX Operating Environment Securely
- 1.1 Installation Security Considerations
- 1.2 Preventing Security Breaches During the Boot Process
- 1.3 Enable Login Security for root
- 1.4 Using Boot Authentication to Prevent Unauthorized Access
- 1.5 Setting Install-Time Security Options
- 1.6 Installing Security Patches
- 1.7 Postinstallation Security Tips for Backup and Recovery
- 2 Administering User and System Security
- 2.1 Managing User Access
- 2.2 Authenticating Users During Login
- 2.3 Authenticating Users with PAM
- 2.4 Managing Passwords
- 2.4.1 System Administrator Responsibilities
- 2.4.2 User Responsibilities
- 2.4.3 Criteria of a Good Password
- 2.4.4 Changing the /etc/passwd Password File
- 2.4.5 The /etc/shadow Shadow Password File
- 2.4.6 Eliminating Pseudo-Accounts and Protecting Key Subsystems in /etc/passwd
- 2.4.7 Secure Login with HP-UX Secure Shell
- 2.4.8 Securing Passwords Stored in NIS
- 2.4.9 Securing Passwords Stored in LDAP Directory Server
- 2.5 Defining System Security Attributes
- 2.6 Handling setuid and setgid Programs
- 2.7 Preventing Stack Buffer Overflow Attacks
- 2.8 Protecting Unattended Terminals and Workstations
- 2.9 Protecting Against System Access by Remote Devices
- 2.10 Securing Login Banners
- 2.11 Protecting the root Account
- 3 HP-UX Standard Mode Security Extensions
- 4 Remote Access Security Administration
- 4.1 Overview of Internet Services and Remote Access Services
- 4.2 The inetd Daemon
- 4.3 Protection Against Spoofing with TCP Wrappers
- 4.4 Secure Internet Services
- 4.5 Controlling an Administrative Domain
- 4.6 Securing Remote Sessions Using HP-UX Secure Shell (SSH)
- 4.6.1 Key Security Features of HP-UX Secure Shell
- 4.6.2 Software Components of HP-UX Secure Shell
- 4.6.3 Running HP-UX Secure Shell
- 4.6.4 HP-UX Secure Shell Privilege Separation
- 4.6.5 HP-UX Secure Shell Authentication
- 4.6.6 Communication Protocols
- 4.6.7 HP-UX Secure Shell and the HP-UX System
- 4.6.8 Associated Technologies
- 4.6.9 Strong Random Number Generator Requirement
- 4.6.10 TCP Wrappers Support
- 4.6.11 chroot Directory Jail
- 1 Installing the HP-UX Operating Environment Securely
- Part II Protecting Data
- 5 File System Security
- 5.1 Controlling File Access
- 5.2 Setting Access Control Lists
- 5.3 Using HFS ACLs
- 5.4 Using JFS ACLs
- 5.4.1 Definition of a JFS ACL
- 5.4.2 How the System Generates a JFS ACL
- 5.4.3 Minimal JFS ACL
- 5.4.4 Additional JFS ACL user and group Entries
- 5.4.5 JFS ACL group and class Entries
- 5.4.6 Using the setacl and getacl Commands
- 5.4.7 Effect of chmod on class Entries
- 5.4.8 Example of Changing a Minimal JFS ACL
- 5.4.9 Default JFS ACLs
- 5.4.10 Changing JFS ACL with the setacl Command
- 5.5 Comparison of JFS and HFS ACLs
- 5.6 ACLs and NFS
- 5.7 Security Considerations for /dev Device Special Files
- 5.8 Protecting Disk Partitions and Logical Volumes
- 5.9 Security Guidelines for Mounting and Unmounting File Systems
- 5.10 Controlling File Security on a Network
- 6 Compartments
- 7 Fine-Grained Privileges
- 5 File System Security
- Part III Protecting Identity
- 8 HP-UX Role-Based Access Control
- 8.1 Overview
- 8.2 Access Control Basics
- 8.3 HP-UX RBAC Components
- 8.4 Planning the HP-UX RBAC Deployment
- 8.5 Configuring HP-UX RBAC
- 8.6 Using HP-UX RBAC
- 8.7 Troubleshooting HP-UX RBAC
- 9 Audit Administration
- 8 HP-UX Role-Based Access Control
- A Trusted Systems
- B Other Security Products
- B.1 HP-UX AAA Server (RADIUS)
- B.2 HP-UX Bastille
- B.3 HP-UX Directory Server
- B.4 HP-UX Encrypted Volume and File System (EVFS)
- B.5 HP-UX HIDS
- B.6 HP-UX IPFilter
- B.7 HP-UX IPSec
- B.8 HP-UX LDAP-UX Integration
- B.9 HP-UX Secure Resource Partitions (SRP)
- B.10 HP-UX Secure Shell
- B.11 HP-UX Trusted Computing Services
- B.12 Security Patches
- Glossary
- Index
HMAC Hashed Message Authentication Code. See also MAC.
IKE The Internet Key Exchange (IKE) protocol is part of the IPsec protocol suite. IKE is used before
the IPsec ESP or AH protocol exchanges to determine which encryption and/or authentication
services will be used. IKE also manages the distribution and update of the symmetric (shared)
encryption keys used by ESP and AH. See also ESP and AH.
IPSec policy IPSec policies specify the rules according to which data is transferred securely. IPSec policies
generally contain packet filter information and an action. The packet filter is used to select a policy
for a packet and the action is applied to the packets using the policy
Kerberos A network authentication protocol designed to provide strong authentication for client or server
applications. Kerberos allows users to authenticate themselves without transmitting unencrypted
passwords over the network.
LDAP
(Lightweight
Directory
Access
Protocol)
The LDAP protocol provides network directory access. LDAP uses a directory structure similar
to the OSI X.500 directory service, but stores data as strings and uses the TCP/IP network stack
instead of the OSI network stack.
MAC A message authentication code (MAC) is an authentication tag, also called a checksum, derived
by application of an authentication algorithm, together with a secret key, to a message. MACs
are computed and verified with the same key so they can only be verified by the intended receiver,
unlike digital signatures.
Hash function-based MACs (HMACS) use a key or keys in conjunction with a hash function to
produce a checksum that is appended to the message. An example is the keyed-MD5 method of
message authentication.
MACs can also be derived from block ciphers. The data is encrypted in message blocks using
DES CBC and the final block in the ciphertext is used as the checksum. The DES-CBC MAC is a
widely used US and international standard.
man-in-the-middle attack
See third-party-attack.
manual keys Manually configured cryptographic keys for IPSec. An alternative to using the Internet Key
Exchange (IKE) protocol to generate cryptographic keys and other information for IPSec Security
Associations (SAs).
MD5 Message Digest-5. Authentication algorithm developed by RSA. MD5 generates a 128-bit message
digest using a 128-bit key. IPSec truncates the message digest to 96 bits.
NAT Network Address Translation. A method to allow multiple systems in an internal, private network
share one public internet IP address. A NAT gateway replaces (translates) internal IP addresses
and ports to its public IP address when forwarding packets from the internal network to the
public internet and performs the reverse translation for the return path.
object A system or network resource such as a system, file, printer, terminal, database record. In the
context of authorization, authorization is granted for a subject's operation on an object.
operation A specific mode of access to one or more objects. For example, writing to a file. In the context of
authorization, authorization is granted for a subject's operation on an object.
out-of-band
key exchange
A key exchange using a secure communication channel that is outside of normal computer
communication channels, such as a face-to-face meeting or telephone call.
packet filter A filter used to select or restrict network packets. Packet filters specify network packet
characteristics. Packet filters typically specify source and destination IP addresses, upper-layer
protocols (such as TCP or UDP), and TCP or UDP port numbers. Packet filters may also define
202 Glossary