HP-UX System Administrator's Guide: Security Management HP-UX 11i v3 (B3921-90020, September 2010)
Table Of Contents
- HP-UX System Administrator's Guide: Security Management
- Table of Contents
- About this Document
- Part I Protecting Systems
- 1 Installing the HP-UX Operating Environment Securely
- 1.1 Installation Security Considerations
- 1.2 Preventing Security Breaches During the Boot Process
- 1.3 Enable Login Security for root
- 1.4 Using Boot Authentication to Prevent Unauthorized Access
- 1.5 Setting Install-Time Security Options
- 1.6 Installing Security Patches
- 1.7 Postinstallation Security Tips for Backup and Recovery
- 2 Administering User and System Security
- 2.1 Managing User Access
- 2.2 Authenticating Users During Login
- 2.3 Authenticating Users with PAM
- 2.4 Managing Passwords
- 2.4.1 System Administrator Responsibilities
- 2.4.2 User Responsibilities
- 2.4.3 Criteria of a Good Password
- 2.4.4 Changing the /etc/passwd Password File
- 2.4.5 The /etc/shadow Shadow Password File
- 2.4.6 Eliminating Pseudo-Accounts and Protecting Key Subsystems in /etc/passwd
- 2.4.7 Secure Login with HP-UX Secure Shell
- 2.4.8 Securing Passwords Stored in NIS
- 2.4.9 Securing Passwords Stored in LDAP Directory Server
- 2.5 Defining System Security Attributes
- 2.6 Handling setuid and setgid Programs
- 2.7 Preventing Stack Buffer Overflow Attacks
- 2.8 Protecting Unattended Terminals and Workstations
- 2.9 Protecting Against System Access by Remote Devices
- 2.10 Securing Login Banners
- 2.11 Protecting the root Account
- 3 HP-UX Standard Mode Security Extensions
- 4 Remote Access Security Administration
- 4.1 Overview of Internet Services and Remote Access Services
- 4.2 The inetd Daemon
- 4.3 Protection Against Spoofing with TCP Wrappers
- 4.4 Secure Internet Services
- 4.5 Controlling an Administrative Domain
- 4.6 Securing Remote Sessions Using HP-UX Secure Shell (SSH)
- 4.6.1 Key Security Features of HP-UX Secure Shell
- 4.6.2 Software Components of HP-UX Secure Shell
- 4.6.3 Running HP-UX Secure Shell
- 4.6.4 HP-UX Secure Shell Privilege Separation
- 4.6.5 HP-UX Secure Shell Authentication
- 4.6.6 Communication Protocols
- 4.6.7 HP-UX Secure Shell and the HP-UX System
- 4.6.8 Associated Technologies
- 4.6.9 Strong Random Number Generator Requirement
- 4.6.10 TCP Wrappers Support
- 4.6.11 chroot Directory Jail
- 1 Installing the HP-UX Operating Environment Securely
- Part II Protecting Data
- 5 File System Security
- 5.1 Controlling File Access
- 5.2 Setting Access Control Lists
- 5.3 Using HFS ACLs
- 5.4 Using JFS ACLs
- 5.4.1 Definition of a JFS ACL
- 5.4.2 How the System Generates a JFS ACL
- 5.4.3 Minimal JFS ACL
- 5.4.4 Additional JFS ACL user and group Entries
- 5.4.5 JFS ACL group and class Entries
- 5.4.6 Using the setacl and getacl Commands
- 5.4.7 Effect of chmod on class Entries
- 5.4.8 Example of Changing a Minimal JFS ACL
- 5.4.9 Default JFS ACLs
- 5.4.10 Changing JFS ACL with the setacl Command
- 5.5 Comparison of JFS and HFS ACLs
- 5.6 ACLs and NFS
- 5.7 Security Considerations for /dev Device Special Files
- 5.8 Protecting Disk Partitions and Logical Volumes
- 5.9 Security Guidelines for Mounting and Unmounting File Systems
- 5.10 Controlling File Security on a Network
- 6 Compartments
- 7 Fine-Grained Privileges
- 5 File System Security
- Part III Protecting Identity
- 8 HP-UX Role-Based Access Control
- 8.1 Overview
- 8.2 Access Control Basics
- 8.3 HP-UX RBAC Components
- 8.4 Planning the HP-UX RBAC Deployment
- 8.5 Configuring HP-UX RBAC
- 8.6 Using HP-UX RBAC
- 8.7 Troubleshooting HP-UX RBAC
- 9 Audit Administration
- 8 HP-UX Role-Based Access Control
- A Trusted Systems
- B Other Security Products
- B.1 HP-UX AAA Server (RADIUS)
- B.2 HP-UX Bastille
- B.3 HP-UX Directory Server
- B.4 HP-UX Encrypted Volume and File System (EVFS)
- B.5 HP-UX HIDS
- B.6 HP-UX IPFilter
- B.7 HP-UX IPSec
- B.8 HP-UX LDAP-UX Integration
- B.9 HP-UX Secure Resource Partitions (SRP)
- B.10 HP-UX Secure Shell
- B.11 HP-UX Trusted Computing Services
- B.12 Security Patches
- Glossary
- Index
DES Data Encryption Standard. Uses a 56-bit key for symmetric key block encryption. DES is suitable
for bulk data encryption.
DES has been cracked (data encoded using DES has been decoded by a third party).
Diameter Base A protocol that provides authentication, authorization, and accounting (AAA) services based on
the RADIUS protocol. The Diameter protocol provides the same functionality as RADIUS, with
improved reliability, security and infrastructure. See also RADIUS.
Diffie-Hellman
A public-key method to generate a symmetric key where two parties can publicly exchange values
and generate the same symmetric key. Start with prime p and generator g, which may be publicly
known (typically these numbers are from a well-known Diffie-Hellman Group). Each party selects
a private value (a and b) and generates a public value (g**a mod p) and (g**b mod p). They
exchange the public values. Each party then uses its private value and the other party's public
value to generate the same symmetric key, (g**a)**b mod p and (g**b)**a mod p, which
both evaluate to g**(a*b) mod p for future communication.
The Diffie-Hellman method must be combined with authentication to prevent man-in-the-middle
or third-party attacks (spoofing) attacks. For example, Diffie-Hellman may be used with certificate
or preshared key authentication.
Digital
Signature
Digital signatures are a variation of keyed hash algorithms that use public/private key pairs. The
sender uses its private key and the data as input to create a Digital Signature value.
EAP Extensible Authentication Protocol. A protocol that provides a framework for using multiple
authentication methods and protocols, including passwords, Kerberos, and challenge-response
protocols.
Encapsulating
Security
Payload
See ESP.
encryption The process of converting data from a readable format to nonreadable format for privacy.
Encryption functions usually take data and a cryptographic key (value or bit sequence) as input.
ESP Encapsulating Security Payload. This is part of the IPsec protocol suite. The ESP provides
confidentiality (encryption) and an antireplay service. It should be used with authentication,
either with the optional ESP authentication field (authenticated ESP) or nested in an authentication
header message. Authenticated ESP also provides data origin authentication and connectionless
integrity. When used in tunnel mode, ESP also provides limited traffic flow confidentiality.
event An action, such as creating a file, opening a file, or logging in to the system.
Extensible Authentication Protocol
See EAP.
filter A mechanism for screening unwanted objects, or the parameters that specify the objects allowed
or denied access. Typically, a filter is used to screen unwanted network packets (a packet filter).
fine-grained
privilege
A permission to perform a specific, low-level operation (for example, permission to execute a
specific system call).
firewall One or more devices or computer systems used as a barrier to protect a network against unwanted
users or harmful, intrusive applications. See also bastion host and hardened system.
hardened
system
A computer system with minimal operating system features, users, and applications that is used
as a barrier to protect a network against unwanted users or harmful, intrusive applications. Also
referred to as a bastion host.
201