HP-UX Standard Mode Security Extensions B.11.23.02 Release Notes
NOTE: The Standard Mode Security Extensions bundle does not change systems running in
trusted mode.
New in HP-UX SMSE B.11.23.02
HP-UX SMSE B.11.23.02 delivers the following new content:
• When used in conjunction with HP-UX RBAC version B.11.23.04, usage of the userdbset
command can be restricted based on a user’s authorizations. See userdbset(1M) for more
information.
• A new command, userstat, was added that displays the account status of local users. It
checks the status of local user accounts and reports abnormal conditions, such as account
locks. See userstat(1M) for more information.
Auditing System in Standard Mode HP-UX
The purpose of the auditing system is to record security relevant events for analysis. This
information helps detect repeated attempts of security breaches. Thus, the auditing system acts
as a deterrent against system abuses and exposes potential security weaknesses.
Previously, the auditing system was only supported on systems converted to trusted mode. By
installing the HP-UX Standard Mode Security Extensions bundle, you can now perform audits
without converting the system to trusted mode. The auditing system is described in the audit(5)
manpage. The following enhancements are included:
• A more flexible form of audit IDs, called audit tags, uniquely identifies each login session
and responsible user.
• Two new libsec routines, getauduser and setauduser, are similar to the getaudid and
setaudid system calls. The new libsec routines manage the audit tags. Refer to the
getauduser(3), setauduser(3), and audit(5) manpages.
• For applications that use PAM for authentication, the pam_hpsec PAM module transparently
handles the per-session audit information. Refer to the pam_hpsec(5) manpage.
• The audit commands, audsys, audisp, and audevent, now support auditing in standard
mode. Refer to audsys(1M), audisp(1M), and audevent(1M).
• Commands like login, cron, and ftpd, can now do self-auditing in standard mode.
• Standard mode audit user selection information is stored in a per-user configuration user
database described in “User Database for Per-User Configurations” (page 11) and in the
userdb(4) manpage. This database is similar to /tcb in trusted mode.
• The userdbset command specifies which users are to be audited in standard mode. This
functionality is equivalent to the audusr command in trusted mode. Refer to the
userdbset(1M) manpage.
Configurable System-Wide Security Defaults in /etc/default/security
System-wide defaults for security features are configured in the security defaults file,
/etc/default/security, by modifying the attribute=value pairs. See Table 1-1and Table 1-2
for a list of attributes affected by the HP-UX Standard Mode Security Extensions. Table 1-1 and
Table 1-2 do not show a complete list of attributes. Refer to the security(4) manpage for a complete
list of attributes and an explanation of /etc/default/security.
The new security attributes description file is /etc/security.dsc which describes each
attribute along with a range of possible values. The /etc/security.dsc file also shows the
default value to use for each attribute if no system-wide default value is configured in
/etc/default/security.
Several system-wide defaults can be overridden for specified users by setting a per-user value
in the user database. Use the userdbset command to make the per-user configurations. See
“User Database for Per-User Configurations” (page 11) and refer to the userdbset(1M) manpage.
10 HP-UX Standard Mode Security Extensions B.11.23.02