HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software

Features

HP-UX 11i Security Containment Version B.11.23.02 includes the following components:

• Compartments

Compartments isolate unrelated resources on a system, to prevent catastrophic damage to

the system if one compartment is penetrated.

When configured in a compartment, an application has restricted access to resources

(processes, binaries, data files, and communication channels used) outside its compartment.

This restriction is enforced by the HP-UX kernel and cannot be overridden unless specifically

configured to do so. If the application is compromised, it will not be able to damage other

parts of the system because it is isolated by the compartment configuration.

• Fine-Grained Privileges

Traditional UNIX operating systems grant "all or nothing" administrative privileges based

on the effective UID of the process that is running. If the process is running with the effective

UID=0, it is granted all privileges. With fine-grained privileges, processes are granted only

the privileges needed for the task and, optionally, only for the time needed to complete the

task. Applications that are privilege-aware can elevate their privilege to the required level

for the operation and lower it after the operation completes.

• HP-UX Role-Based Access Control (HP-UX RBAC)

Typical UNIX system administration commands must be run by a superuser (root user).

Similar to kernel level system call access, access is usually "all or nothing" based on the user's

effective UID. HP-UX Role-Based Access Control (HP-UX RBAC) enables you to group

common or related tasks into a role. For example, a common role might be User and Group

Administration. Once the role is created, users are assigned a role or set of roles that enables

them to run the commands defined by those roles.

When you implement HP-UX RBAC, you enable non-root users to perform tasks previously

requiring root privileges, without granting those users complete root privileges.

For more information about HP-UX RBAC, refer to the HP-UX Role-Based Access Control

B.11.23.04 Release Notes.

• HP-UX Standard Mode Security Extensions (SMSE)

In addition to the new Security Containment features, HP-UX 11i v2 has been enhanced to

support the following security features, previously available only in trusted mode:

— Audit

The HP-UX auditing system records security-related events for analysis. Administrators

use auditing to detect and analyze security breaches. Auditing is now available on

standard mode HP-UX systems; it was previously available only on trusted mode

systems.

— User Database

Previously, all Standard Mode HP-UX security attributes and password policy

restrictions were set on a systemwide basis. The introduction of the user database enables

you to set security attributes on a per-user basis that overrides systemwide defaults.

You can use the user database to enforce the following security measures:

◦ Lock a user account after a specified number of authentication failures

◦ Display the last successful and unsuccessful login

◦ Maintain a password history

◦ Expire inactive user accounts

◦ Prevent users from logging in with a null password

◦ Restrict users to logging in only during specified time periods

Features and Benefits 19