HP-UX 11i v3 March 2014 Release Notes
Initial (February 2007) Release Notes, Chapter 8: “Security”
• HP-UX 11i Security Containment: Fine-grained privileges and compartments are now part of
the core.
• HP-UX Auditing System: Enhanced in several ways, including: Standard Mode Auditing now
part of core products; multi-threaded kernel audit daemon is now dedicated in logging the
data into configurable number of files for better performance; collected audit data are more
comprehensive; and several other enhancements.
• HP-UX Bastille: With version B.3.0.20, new enhancements, capabilities, features, and benefits
(including bastille_drift analysis) represent additional items that Bastille will be able to lock
down, additional usability improvements, and a new ability for Bastille to check a given system
against a security baseline or report on the security-configuration state of a system.
• HP-UX IPFilter: Updated to version A.03.05.13 with defect fixes and enhancements including
filtering on X.25 interfaces, filtering on 10GigE interfaces; IPFilter not plumbed into the
networking stack by default; no reboot required to enable IPFilter.
• New: HP-UX IPSec: Previously only available on the AR media. Now delivered on the HP-UX
11i v3 Operating Environments. Provides an infrastructure to allow secure communications
(authentication, integrity, confidentiality) over IP networks between systems and devices that
implement the IPsec protocol suite.
• HP-UX Secure Shell: Updated to version A.04.40.005 with new features including an sftp
only solution in a chroot environment; TCP wrappers support for IPv6; Standard Mode
Security Extensions (SMSE) enhanced to provide the “Audit all users and events” feature; and
other features, as well as defect fixes.
• HP-UX Security Attributes Configuration tool (secweb): Updated to support long user name.
• New: HP-UX Standard Mode Security Extensions: Now part of the core OS; provides a new
command and new library functions. Shadow passwords are now also supported with NIS.
• Install-Time Security: Updated to version 1.0.4 with new questions/configuration, diagnostic
daemon configure to local-only use (not network), and syslog local-only.
• Kerberos Client: Updated to version 1.3.5.03 with new features including support for powerful
cryptographic algorithms like 3DES, RC4, and AES; support for IPv6; support for TCP; and
defect fixes.
• OpenSSL: Updated to version A.00.09.08b.09.07j with support (in default version) for several
hardware ENGINES (see section for specifics); support for elliptic curve cryptography; and
EVP, the library of which provides a high-level interface to cryptographic functions. Other
provided versions include other features.
• PAM Kerberos: Enhanced to issue a warning if rc_host_0 is owned by anyone other than
root when a user tries to rlogin into a system; will also issue a warning if the keytable entry
is not found for the host service principal on the client but present at the KDC.
• Security Patch Check: Updated to incorporate defect fixes.
Initial (February 2007) Release Notes, Chapter 9: “Commands and System Calls”
• /etc/skel/.profile shell script: . (current path) in $PATH is deprecated.
• 32-bit pstat System Call (Deprecated): When compiling a 32-bit application that uses the
pstat () system call, the compiler option -D_PSTAT64 must now be specified. This causes
pstat () to use 64-bit fields rather than 32-bit fields. The application still remains a 32-bit
application.
• at , cron, and batch Commands: New features include support for queueing multiple jobs
at the same time, support for queueing of more than 100 jobs, and ability to schedule jobs
up to the njob limit specified for every queue in queuedefs(4).
What is new in the initial (February 2007) HP-UX 11i v3 release 117