HP-UX System Administrator's Guide: Security Management HP-UX 11i v3 (B3921-90020, September 2010)
Table Of Contents
- HP-UX System Administrator's Guide: Security Management
- Table of Contents
- About this Document
- Part I Protecting Systems
- 1 Installing the HP-UX Operating Environment Securely
- 1.1 Installation Security Considerations
- 1.2 Preventing Security Breaches During the Boot Process
- 1.3 Enable Login Security for root
- 1.4 Using Boot Authentication to Prevent Unauthorized Access
- 1.5 Setting Install-Time Security Options
- 1.6 Installing Security Patches
- 1.7 Postinstallation Security Tips for Backup and Recovery
- 2 Administering User and System Security
- 2.1 Managing User Access
- 2.2 Authenticating Users During Login
- 2.3 Authenticating Users with PAM
- 2.4 Managing Passwords
- 2.4.1 System Administrator Responsibilities
- 2.4.2 User Responsibilities
- 2.4.3 Criteria of a Good Password
- 2.4.4 Changing the /etc/passwd Password File
- 2.4.5 The /etc/shadow Shadow Password File
- 2.4.6 Eliminating Pseudo-Accounts and Protecting Key Subsystems in /etc/passwd
- 2.4.7 Secure Login with HP-UX Secure Shell
- 2.4.8 Securing Passwords Stored in NIS
- 2.4.9 Securing Passwords Stored in LDAP Directory Server
- 2.5 Defining System Security Attributes
- 2.6 Handling setuid and setgid Programs
- 2.7 Preventing Stack Buffer Overflow Attacks
- 2.8 Protecting Unattended Terminals and Workstations
- 2.9 Protecting Against System Access by Remote Devices
- 2.10 Securing Login Banners
- 2.11 Protecting the root Account
- 3 HP-UX Standard Mode Security Extensions
- 4 Remote Access Security Administration
- 4.1 Overview of Internet Services and Remote Access Services
- 4.2 The inetd Daemon
- 4.3 Protection Against Spoofing with TCP Wrappers
- 4.4 Secure Internet Services
- 4.5 Controlling an Administrative Domain
- 4.6 Securing Remote Sessions Using HP-UX Secure Shell (SSH)
- 4.6.1 Key Security Features of HP-UX Secure Shell
- 4.6.2 Software Components of HP-UX Secure Shell
- 4.6.3 Running HP-UX Secure Shell
- 4.6.4 HP-UX Secure Shell Privilege Separation
- 4.6.5 HP-UX Secure Shell Authentication
- 4.6.6 Communication Protocols
- 4.6.7 HP-UX Secure Shell and the HP-UX System
- 4.6.8 Associated Technologies
- 4.6.9 Strong Random Number Generator Requirement
- 4.6.10 TCP Wrappers Support
- 4.6.11 chroot Directory Jail
- 1 Installing the HP-UX Operating Environment Securely
- Part II Protecting Data
- 5 File System Security
- 5.1 Controlling File Access
- 5.2 Setting Access Control Lists
- 5.3 Using HFS ACLs
- 5.4 Using JFS ACLs
- 5.4.1 Definition of a JFS ACL
- 5.4.2 How the System Generates a JFS ACL
- 5.4.3 Minimal JFS ACL
- 5.4.4 Additional JFS ACL user and group Entries
- 5.4.5 JFS ACL group and class Entries
- 5.4.6 Using the setacl and getacl Commands
- 5.4.7 Effect of chmod on class Entries
- 5.4.8 Example of Changing a Minimal JFS ACL
- 5.4.9 Default JFS ACLs
- 5.4.10 Changing JFS ACL with the setacl Command
- 5.5 Comparison of JFS and HFS ACLs
- 5.6 ACLs and NFS
- 5.7 Security Considerations for /dev Device Special Files
- 5.8 Protecting Disk Partitions and Logical Volumes
- 5.9 Security Guidelines for Mounting and Unmounting File Systems
- 5.10 Controlling File Security on a Network
- 6 Compartments
- 7 Fine-Grained Privileges
- 5 File System Security
- Part III Protecting Identity
- 8 HP-UX Role-Based Access Control
- 8.1 Overview
- 8.2 Access Control Basics
- 8.3 HP-UX RBAC Components
- 8.4 Planning the HP-UX RBAC Deployment
- 8.5 Configuring HP-UX RBAC
- 8.6 Using HP-UX RBAC
- 8.7 Troubleshooting HP-UX RBAC
- 9 Audit Administration
- 8 HP-UX Role-Based Access Control
- A Trusted Systems
- B Other Security Products
- B.1 HP-UX AAA Server (RADIUS)
- B.2 HP-UX Bastille
- B.3 HP-UX Directory Server
- B.4 HP-UX Encrypted Volume and File System (EVFS)
- B.5 HP-UX HIDS
- B.6 HP-UX IPFilter
- B.7 HP-UX IPSec
- B.8 HP-UX LDAP-UX Integration
- B.9 HP-UX Secure Resource Partitions (SRP)
- B.10 HP-UX Secure Shell
- B.11 HP-UX Trusted Computing Services
- B.12 Security Patches
- Glossary
- Index
boot authentication
using, 25
boot processs
gaining, 24
booting
preventing security breaches during booting, 23
btmp file
tracking failed logins with, 33
C
CA (certificate authority)
defined, 199
CDE Lock Manager
configuring, 55
CDE Login Manager
logging in with, 32
Certificate Revocation List (CRL), 200
chfn, 188
chmod command
changing file access permissions with, 89
effect on class entries, 97
chown, 27, 188, 192
chroot jail, 84
chsh, 188
cmdprivadm, 152
examples, 153
syntax, 152
command
login, 187
swlist, 186
compartments, 109
activating, 121
creating rules, 114
file system rules, 115
IPC rules, 116
modifying rules, 114
network interface rules, 119
network rules, 118
planning a structure, 111
privilege limitation rules, 120
troubleshooting, 123, 134
crontab, 186
D
DES (Data Encryption Standard), 200, 201
device assignment database
trusted system, 191
device-based access control, 190
Diffie-Hellman, 201
group, 201
directory access
securing, 89
disk partition
security considerations for, 104
domain
managing an administrative, 74
E
encrypted password field, 188
encryption
definition, 201
ESP (Encapsulating Security Payload)
definition, 201
/etc/ftpd/ftpusers, 69
/etc/inetd.sec, 72
/etc/passwd, 27
expiration time
password aging, 189
F
fbackup command, 26
trusted backup, 191
file
/etc/group, 188
/etc/passwd, 185, 186, 187, 188
file corruption
locating and correcting using fsck command, 90
file ownership
setting, 89
file security
considerations for /dev special files, 103
controlling file access, 87
controlling on a network, 106
protecting disk partitions and logical volumes, 104
protecting files related to user accounts, 90
protecting NFS-mounted files, 108
file set
SecurityMon, 186
file system
security guidelines for mounting and unmounting, 105
fileaccess
setting access permissions, 89
filter
definition, 201
fine-grained privileges, 127
configuring, 154
frecover command, 26
trusted recovery, 191
fsck command
correcting file corruption with, 90
FTP
securing, 68
securing anonymous, 69
ftpd server, 69
function
getdvagent, 191
getprdfent, 191
getprpwent, 191
getprtcent, 191
getpwent, 191
getspwent, 191
putprpwnam, 191
putpwent, 191
208 Index