HP-UX System Administrator's Guide: Security Management HP-UX 11i v3 (B3921-90020, September 2010)
Table Of Contents
- HP-UX System Administrator's Guide: Security Management
- Table of Contents
- About this Document
- Part I Protecting Systems
- 1 Installing the HP-UX Operating Environment Securely
- 1.1 Installation Security Considerations
- 1.2 Preventing Security Breaches During the Boot Process
- 1.3 Enable Login Security for root
- 1.4 Using Boot Authentication to Prevent Unauthorized Access
- 1.5 Setting Install-Time Security Options
- 1.6 Installing Security Patches
- 1.7 Postinstallation Security Tips for Backup and Recovery
- 2 Administering User and System Security
- 2.1 Managing User Access
- 2.2 Authenticating Users During Login
- 2.3 Authenticating Users with PAM
- 2.4 Managing Passwords
- 2.4.1 System Administrator Responsibilities
- 2.4.2 User Responsibilities
- 2.4.3 Criteria of a Good Password
- 2.4.4 Changing the /etc/passwd Password File
- 2.4.5 The /etc/shadow Shadow Password File
- 2.4.6 Eliminating Pseudo-Accounts and Protecting Key Subsystems in /etc/passwd
- 2.4.7 Secure Login with HP-UX Secure Shell
- 2.4.8 Securing Passwords Stored in NIS
- 2.4.9 Securing Passwords Stored in LDAP Directory Server
- 2.5 Defining System Security Attributes
- 2.6 Handling setuid and setgid Programs
- 2.7 Preventing Stack Buffer Overflow Attacks
- 2.8 Protecting Unattended Terminals and Workstations
- 2.9 Protecting Against System Access by Remote Devices
- 2.10 Securing Login Banners
- 2.11 Protecting the root Account
- 3 HP-UX Standard Mode Security Extensions
- 4 Remote Access Security Administration
- 4.1 Overview of Internet Services and Remote Access Services
- 4.2 The inetd Daemon
- 4.3 Protection Against Spoofing with TCP Wrappers
- 4.4 Secure Internet Services
- 4.5 Controlling an Administrative Domain
- 4.6 Securing Remote Sessions Using HP-UX Secure Shell (SSH)
- 4.6.1 Key Security Features of HP-UX Secure Shell
- 4.6.2 Software Components of HP-UX Secure Shell
- 4.6.3 Running HP-UX Secure Shell
- 4.6.4 HP-UX Secure Shell Privilege Separation
- 4.6.5 HP-UX Secure Shell Authentication
- 4.6.6 Communication Protocols
- 4.6.7 HP-UX Secure Shell and the HP-UX System
- 4.6.8 Associated Technologies
- 4.6.9 Strong Random Number Generator Requirement
- 4.6.10 TCP Wrappers Support
- 4.6.11 chroot Directory Jail
- 1 Installing the HP-UX Operating Environment Securely
- Part II Protecting Data
- 5 File System Security
- 5.1 Controlling File Access
- 5.2 Setting Access Control Lists
- 5.3 Using HFS ACLs
- 5.4 Using JFS ACLs
- 5.4.1 Definition of a JFS ACL
- 5.4.2 How the System Generates a JFS ACL
- 5.4.3 Minimal JFS ACL
- 5.4.4 Additional JFS ACL user and group Entries
- 5.4.5 JFS ACL group and class Entries
- 5.4.6 Using the setacl and getacl Commands
- 5.4.7 Effect of chmod on class Entries
- 5.4.8 Example of Changing a Minimal JFS ACL
- 5.4.9 Default JFS ACLs
- 5.4.10 Changing JFS ACL with the setacl Command
- 5.5 Comparison of JFS and HFS ACLs
- 5.6 ACLs and NFS
- 5.7 Security Considerations for /dev Device Special Files
- 5.8 Protecting Disk Partitions and Logical Volumes
- 5.9 Security Guidelines for Mounting and Unmounting File Systems
- 5.10 Controlling File Security on a Network
- 6 Compartments
- 7 Fine-Grained Privileges
- 5 File System Security
- Part III Protecting Identity
- 8 HP-UX Role-Based Access Control
- 8.1 Overview
- 8.2 Access Control Basics
- 8.3 HP-UX RBAC Components
- 8.4 Planning the HP-UX RBAC Deployment
- 8.5 Configuring HP-UX RBAC
- 8.6 Using HP-UX RBAC
- 8.7 Troubleshooting HP-UX RBAC
- 9 Audit Administration
- 8 HP-UX Role-Based Access Control
- A Trusted Systems
- B Other Security Products
- B.1 HP-UX AAA Server (RADIUS)
- B.2 HP-UX Bastille
- B.3 HP-UX Directory Server
- B.4 HP-UX Encrypted Volume and File System (EVFS)
- B.5 HP-UX HIDS
- B.6 HP-UX IPFilter
- B.7 HP-UX IPSec
- B.8 HP-UX LDAP-UX Integration
- B.9 HP-UX Secure Resource Partitions (SRP)
- B.10 HP-UX Secure Shell
- B.11 HP-UX Trusted Computing Services
- B.12 Security Patches
- Glossary
- Index
Index
Symbols
/dev special device file
security considerations for, 103
/etc/d_passwd file
controlling access using, 56
/etc/default/security, 25
/etc/dialups file
controlling access using, 56
/etc/ftpd/ftpusers file
changing access with, 69
/etc/group file, 188
/etc/inetd.sec file, 72
/etc/pam.conf file, 35
configuring systemwide with, 37
/etc/pam_user.conf file, 35
/etc/passwd file, 185, 186, 187, 188
application user accounts, 30
changing, 42
example of pseudo-account in, 45
format of, 43
recovering, 27
restricted account, 30
/etc/rbac/aud_filter, 182
/etc/rbac/cmd_priv, 154
entries, 156
/etc/security.dsc file, 47
/etc/shadow shadow password file, 43
/sbin/rc2.d/S760auditing, 186
/tcb/files/auth/ protected password database, 186, 187
/tcb/files/auth/*/*, 185, 188, 190, 191
/tcb/files/ttys, 190
/tmp, 192
/var.adm/userdb file, 48, 63
/var/adm/inetd.sec file
configuring, 72
A
access
device-based access, 190
password, 189
terminal control, 189
time-based access, 189, 190
access control list
See ACL, 91
Access Control Policy Switch, 141
customizing, 161
interfaces, 141
ACL
and NFS, 103
comparison of JFS and HFS, 102
default JFS entries, 99
example of changing a minimal JFS, 98
setting, 91
setting HFS, 91
setting JFS, 95
trusted system backup/recovery, 191
administrative domain
managing, 74
AES (Advanced Encryption Standard), 199
AH (Authentication Header)
definition, 199
anonymous FTP
securing, 69
at command, 186
audisp command
viewing audit log output with, 180
audit event, 171
type, 173
audit flag, 189
audit ID (aid), 186, 188, 189
audit log file, 173
overwriting existing, 175
streamlining data in, 181
viewing, 180
auditing
basic profile, 172
commands, 166
enabling, 166
turning on after recovery, 27
users, 165
authadm, 151
examples, 152
syntax, 151
authentication, 186
during login, 31
PAM login example, 39
used by SSH, 80
using boot, 25
using PAM, 34
Authorization Number, 187
authorizations, 138
configuring, 151
object, 138
operation, 138
auxiliary audit log file, 174
B
backup
security guidelines for, 26
trusted system, 185, 191
backup media
security of, 191
Bastille (see HP-UX Bastille)
batch, 186
207