HP-UX System Administrator's Guide: Security Management HP-UX 11i Version 3 HP Part Number: B3921-90059 Published: September 2011 Edition: 7
© Copyright 2011 Hewlett-Packard Development Company L.P Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this document, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Table of Contents About this Document.................................................................................................................15 I Protecting Systems...................................................................................................................21 1 Installing the HP-UX Operating Environment Securely.............................................................23 1.1 Installation Security Considerations...............................................................
2.4.6 Eliminating Pseudo-Accounts and Protecting Key Subsystems in /etc/passwd................................................................................................45 2.4.7 Secure Login with HP-UX Secure Shell.....................................................46 2.4.8 Securing Passwords Stored in NIS...........................................................46 2.4.9 Securing Passwords Stored in LDAP Directory Server.................................46 2.5 Defining System Security Attributes......
4 Remote Access Security Administration................................................................................67 4.1 Overview of Internet Services and Remote Access Services.................................67 4.1.1 Securing ftp..........................................................................................68 4.1.2 Securing Anonymous ftp.........................................................................69 4.1.3 Denying Access Using /etc/ftpd/ftpusers.................................
5.1.5 Locating and Correcting File Corruption Using fsck....................................90 5.2 Setting Access Control Lists............................................................................91 5.3 Using HFS ACLs...........................................................................................91 5.3.1 HFS ACLs and HP-UX Commands and Calls.............................................93 5.4 Using JFS ACLs.....................................................................................
6.4.3 IPC Rules...........................................................................................117 6.4.4 Network Rules...................................................................................119 6.4.5 Miscellaneous Rules............................................................................122 6.4.6 Example Rules File..............................................................................123 6.5 Configuring Compartments.........................................................
.4 Planning the HP-UX RBAC Deployment..........................................................151 8.4.1 Planning the Roles..............................................................................152 8.4.2 Planning Authorizations for the Roles....................................................152 8.4.3 Planning Command Mappings.............................................................153 8.4.4 HP-UX RBAC Limitations and Restrictions................................................153 8.
.6 Using the Audit Filtering Tools......................................................................182 9.7 Using filter.conf .........................................................................................183 9.8 Using the Audit Reporting Tools...................................................................183 9.8.1 Examples of Using the auditdp Command..............................................185 9.9 Viewing Audit Logs...................................................................
B.3.2 HP-UX Directory Server............................................................................204 B.3.3 HP-UX LDAP-UX Integration.......................................................................204 Glossary...............................................................................................................................205 Index....................................................................................................................................
List of Figures 2-1 5-1 6-1 8-1 8-2 HP-UX Authentication Modules Under PAM..........................................................35 File and Directory Permission Fields....................................................................88 Compartment Architecture...............................................................................110 HP-UX RBAC Architecture................................................................................150 Example Operation After Invoking privrun...............
List of Tables 3-1 3-2 3-3 3-4 4-1 4-2 5-1 5-2 5-3 5-4 5-5 6-1 6-2 6-3 7-1 7-2 7-3 8-1 8-2 8-3 8-4 8-5 8-6 9-1 9-2 9-3 9-4 12 User Database Configuration Files.....................................................................63 User Database Commands................................................................................63 User Attributes.................................................................................................64 User Database Manpages.....................................
List of Examples 2-1 5-1 5-2 Pseudo- and Special System Accounts.................................................................45 Creating an HFS ACL.......................................................................................93 Multiple HFS ACL Matches................................................................................
About this Document Publication History The document publication date and part number indicate its current edition. The publication date will change when a new edition is released. To ensure that you receive the new editions, you should subscribe to the appropriate product support service. Contact your HP sales representative for details. You can find the various versions of this document at: http://www.hp.com/go/hpux-core-docs Click HP-UX 11i v3.
• • • Updated the HP-UX Role-Based Access Control chapter (see Chapter 8 ). Updated the Audit Administration chapter (see Chapter 9). Added security products to Appendix B (see Appendix B). March 2008 Part Number 5992–3387 • Divided the document into three parts: Protecting Systems, Protecting Data, and Protecting Identity. • Added a chapter to document HP-UX Standard Mode Security Extensions (see Chapter 3). • Replaced Security Patch Check with Software Assistant.
About This Document Set The HP-UX System Administrator’s Guide documents the core set of tasks (and associated concepts) necessary to administer systems running HP-UX 11i Version 3. It is comprised of the following volumes: Overview Provides a high-level view of HP-UX 11i, its components, and how they relate to each other. Configuration Management Describes many of the tasks that you must perform to configure and customize system settings and the behavior of subsystems.
HP-UX 11i Release Names and Release Identifiers With HP-UX 11i, HP delivers a highly available, secure, and manageable operating system. HP-UX 11i supports enterprise, mission-critical, and technical computing environments and is available on both HP 9000 systems and HP Integrity servers. Each HP-UX 11i release has an associated release name and release identifier. The uname command with the -r option returns the release identifier.
Finding HP-UX Information The following table outlines where to find general system administration information for HP-UX. However, it does not include information for specific products. If you need to Refer To Located at Find out: • What has changed in HP-UX releases • The contents of the Operating Environments • Firmware requirements and supported systems for a specific release The HP-UX 11i Release Notes • HP Instant Information media specific to your version of HP-UX. • http://www.hp.
• • • • • HP-UX HP-UX HP-UX HP-UX HP-UX AAA Server Administrator's Guide Host Intrusion Detection System Administrator's Guide IPFilter Administrator's Guide IPSec Administrator's Guide Secure Shell Release Notes Conventions This document uses the following typographical conventions. reboot(1M) An HP-UX manpage. reboot is the name and 1M is the section in the HP-UX Reference. On the Web and on the Instant Information media, it may be a hot link to the manpage itself.
Part I Protecting Systems One critical factor in enterprise security is system minimization and hardening. HP-UX 11i offers a set of security features designed to address known and unknown vulnerabilities by running only the services that are needed, thus minimizing a potential point of attack.
1 Installing the HP-UX Operating Environment Securely This chapter describes security considerations related to the boot and installation processes, including the following topics: • Installation security considerations (Section 1.1) • Preventing security breaches during the boot process (Section 1.2) • Enable login security for root (Section 1.3) • Using boot authentication to prevent unauthorized access (Section 1.4) • Setting Install-Time Security options (Section 1.
are altered incorrectly or maliciously before the reboot, the system can have problems during and after the reboot. Therefore, perform these preventative tasks: • • • Make sure the system and system console are physically secure and that only authorized users have access. Enable the boot authentication feature to allow only specified users to boot the system to single user mode. See Section 1.4. Make sure system files are write protected; some might need to be read protected.
1.4 Using Boot Authentication to Prevent Unauthorized Access The boot authentication feature protects single-user mode boot with password authentication. It makes it possible to configure a system so that only authorized users are allowed to boot the machine into single-user mode. The boot authentication feature must be enabled before you reboot the system. Boot authentication is configured by two attributes in the /etc/default/security file: • • BOOT_AUTH enables or disables boot authentication.
www.hp.com/go/hpux-security-docs Click HP-UX IPFilter Software. 1.6 Installing Security Patches Immediately after installation, apply the required and recommended patches using HP-UX Software Assistant (SWA). SWA is a command-line-based tool that consolidates and simplifies patch management and security bulletin management on HP-UX systems. The SWA tool replaces Security Patch Check (SPC), and is the HP-recommended utility to use to maintain currency with HP-published security bulletins for HP-UX software.
• • • • • • • • Examine the log file of latest backups to identify problems occurring during backup. Set restrictive permissions on the backup log file. Be aware that the frecover command allows you to overwrite a file. However, the file retains the permissions and ACLs set when the file was backed up. Test the recovery process beforehand to make sure you can fully recover data in the event of an emergency.
2 Administering User and System Security This chapter addresses basic user security after the operating system is installed. It focuses on logins, passwords, and other user interactions with the system. The following topics are discussed: • • • • • • • • • • • Managing user access (Section 2.1) Authenticating users during login (Section 2.2) Authenticating users with PAM (Section 2.3) Managing passwords (Section 2.4) Defining system security attributes (Section 2.
• • • • • Ensure that all users understand the security policies. Place a company security policies file in each home directory. Examine the /etc/passwd file or other appropriate user database for unused accounts, and especially for users who have left the company. Examine root accounts to see who has root access. Consider implementing HP-UX Role-based Access Control to minimize the risks associated with multiple users having access to the root account. For more information, see Chapter 8.
• • • • • • • User name Encrypted password User ID Group ID Comment field Home directory Login program Typically, the login program is a shell, such as /bin/sh, but it does not have to be a shell. You can create a captive account—an account that logs a user directly into an application—by identifying the application as the login shell. Following is an example of restricting a user to run only the date command. The /etc/ passwd entry is: username:rc70x.
2.2.1 Explanation of the Login Process The following steps describe the login process. This information shows how important it is to create unique user names and to maintain a password security policy. For more information, refer to login(1). 1. 2. 3. After the system is installed, the desktop Login Manager displays a login screen. The Common Desktop Environment (CDE) displays a CDE login screen if it is installed. The init program spawns a getty process, which prompts you for a user name.
as /bin/ksh, /bin/csh, or /bin/sh. If the command field is empty, the default is /bin/sh. The command field does not have to be a shell. See Section 2.1.3 for an example of running another command. 8. After the shell initialization is complete, the system displays a prompt and waits for user input. You can have the login process perform further user authentication using the Pluggable Authentication Modules (PAM). For more information, see pam.conf(4) and Section 2.3. 2.2.
abcdeux console Mon Mar 12 10:13 - 10:19 (00:06) root pts/2 Fri Mar 9 13:51 - 15:12 (01:21) abcdeux console Thu Mar 8 12:21 - 12:22 (00:00) root pts/ta Wed Mar 7 15:38 - 18:13 (02:34) The following command lists when reboots have occurred: # last reboot reboot reboot reboot reboot reboot system system system system system boot boot boot boot boot Sun Sun Sun Thu Mon Mar Mar Mar Feb Feb 28 28 28 19 16 18:06 17:48 17:40 18:25 13:56 still logged in - 18:06 (00:17) - 17:48 (00:08) - 17:40 (37+23:15) - 1
As a result, login authentication, account checking, and password modification use the PAM interface. Programs requiring user authentication pass their requests to PAM, which determines the correct verification method and returns the appropriate response. The programs do not need to know what authentication method is being used. See Figure 2-1 for an overview.
2.3.2 PAM Libraries PAM service modules are implemented by shared libraries. PAM enables multiple authentication technologies to co-exist in HP-UX. The /etc/pam.conf configuration file determines which authentication module to use. The PAM libraries are as follows: • PAM_DCE The PAM_DCE modules enable integration of DCE into the system entry services (such as login, telnet, rlogin, ftp). The PAM_DCE modules provide functionality for the authentication, account management, and password management modules.
Click HP-UX 11i v3 Networking Software. • PAM_RADIUS The HP-UX PAM RADIUS module provides authentication and session management for PAM enabled applications (typically system entry services such as login and ftp) through RADIUS server using the pam.conf configuration file. The HP-UX PAM RADIUS module consists of the following two modules: — Authentication module — Session management module It also provides null function for account management.
-r--r--r-- 1 root sys 1050 Nov 8 10:16 /etc/pam.conf If this file is corrupt or missing from the system, root can log in to the console in single-user mode to fix the problem. The protected service names are listed in the system control file, /etc/pam.conf, under four test categories (module-type): authentication, account, session, and password. See pam(3), pam.conf(4), and pam_user.conf(4) for more information. 2.3.4 Sample /etc/pam.conf File Following is a partial listing of a sample /etc/pam.
su su account required account required libpam_hpsec.so.1 libpam_unix.so.1 2.3.5 The /etc/pam_user.conf User Configuration File The PAM configuration file, /etc/pam_user.conf, configures PAM on a per-user basis. This file is optional. It is needed only if PAM applications need to behave differently for different users. You assign different options to individual users by listing them in /etc/pam_user.conf.
login • auth required /usr/lib/security/libpam_unix.1 If there are two or more systemwide login auth entries, such as the following, they are taken in order: login login auth auth required required /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_dce.1 In this case, the standard HP-UX login process is executed. Then the DCE authentication process occurs. If both are satisfied, then the login is successful. Both processes are performed, even if the user fails one of them.
2.4 Managing Passwords The password is the most important individual user identification symbol. With it, the system authenticates a user to allow access to the system. Because they are vulnerable to compromise when used, stored, or known, passwords must be kept secret at all times. The following sections discuss passwords in more detail. 2.4.1 System Administrator Responsibilities The system administrator and every user on the system must share responsibility for password security.
2.4.3 Criteria of a Good Password Observe the following guidelines when choosing a password and communicate these guidelines to users: • • • • • • • • Choose a password with at least 6 characters and no more than 80 characters. Special characters can include control characters and symbols, such as asterisks and slashes. In standard mode, only the first 8 characters are used. Do not choose a word found in a dictionary in any language, even if you spell it backwards.
# passwd -f user1 • Lock or disable an account: # passwd -l user2 • Enable password aging: # passwd -n 7 -x 28 user1 • View password aging status for a specific user: # passwd -s user • View password aging status for all users: # passwd -sa 2.4.4.2 The /etc/passwd File Format The /etc/passwd file is used to authenticate a user at login time. The file contains an entry for every account on the HP-UX system. Each entry consists of seven fields, separated by colons.
Use the following commands to enable, verify, and disable shadow passwords: • The pwconv command creates a shadow password file and copies the encrypted passwords from the /etc/passwd file to the /etc/shadow file. • The pwck command checks the /etc/passwd and /etc/shadow files for inconsistencies. • The pwunconv command copies the encryped passwords and aging information from the /etc/shadow file to the /etc/passwd file and then deletes the /etc/ shadow file.
NOTE: Shadow passwords are not supported with LDAP-UX. Instead, LDAP-UX provides the ability to hide user passwords in the directory server itself. LDAP-UX also enforces centralized security policies, similar to /etc/shadow, based on the security policy of the directory server. Shadow passwords are not supported by the applications that expect passwords to reside in /etc/passwd.
to the owner of the executable file. For example, the cancel command is part of the lp subsystem and runs as effective user lp. When the setuid is set, the security mediation of that subsystem enforces the security of all programs encompassed by the subsystem, not the entire system. Hence, the subsystem vulnerability to a breach of security is also limited to only those subsystem files. Breaches cannot affect the programs under different subsystems.
Boot attributes These attributes control boot authentication, defining which users are authorized to boot the system into single-user mode. See boot authentication information in Chapter 1. Switch user (su) attributes These attributes define the PATH environment value, root group name for the su command, and whether or not su should propagate certain environment variables. See su(1) for more information. Audit attribute This attribute controls whether or not users are to be audited.
2.5.1 Configuring Systemwide Attributes The following steps explain how to define security attributes on a systemwide basis. 1. Review the security(4) manpage, which explains the configurable systemwide default values for attributes. These attributes are configured in the /etc/default/ security file, which is also explained in the security(4) manpage. If an attribute is not defined in the /etc/default/security file, then the default value defined in the /etc/security.dsc file will be used by the system.
4. Use the userdbset command to change an attribute for a user. The per-user information is stored in a user database in the /var/adm/userdb directory. The user database is described in the userdb(4) manpage. You cannot use the userdbset command to configure all attributes. Some per-user values are defined in the /etc/passwd and /etc/shadow files. For more information, see security(4). 5. Use the userdbget command to get user information. 2.5.2.
# userdbget -u username The attributes configured for the user username are displayed. If an attribute is misconfigured, reconfigure the attribute. Problem 2: The user database is not functioning properly. database, enter the following command: If you need to check the user # userdbck The userdbck command identifies and repairs problems in the user database. 2.
2.6.1 Why setuid and setgid Programs Can Be Risky Whenever any program is executed, it creates a process with four ID numbers—real and effective user ID (ruid and euid) and real and effective group ID (rgid and egid). Typically, these ID pairs are identical. However, running a setuid or setgid program changes the euid or egid of the process from that associated with the owner to that of the object.
Enforce restrictive use of privileged programs through the following administrative and programming recommendations: • • • • • • • • • • • • • • Use setuid and setgid only when absolutely necessary. Make sure that no setuid program is writable by others. Whenever possible, use setgid instead of setuid to reduce the scope of damage that might result from coding flaws or breaches of security. Periodically search the file systems for new or modified setuid and setgid programs.
• • A setuid program executing other programs. A program unexpectedly gaining a user ID of zero (0). The user ID of zero is for superuser or root only. To prevent stack buffer overflow attacks: • Enable the executable_stack kernel tunable parameter. • Use the chatr +es command. The executable_stack kernel tunable parameter enables you to prevent a program from executing code from its stack.
ttp1:23:respawn:/usr/sbin/getty -h tty0p1 9600 ttp2:23:respawn:/usr/sbin/uugetty -h ttypd0p2 9600 Following is an example of changing run levels after normal work hours to disable terminals and modems using a cron job. During the day, the run level is 3 and the ttp1 and ttp2 terminals can be used because they are at run levels 2 and 3. At 8:00 a.m. from Monday through Friday, the system run level is set to 3: # crontab -e 0 8 * * 1-5 /sbin/init 3 0 17 * * * /sbin/init 4 At 5:00 p.m.
If you use other systems often and if you copy the .profile file from one system to another, then adding the TMOUT variable to the .profile is more convenient. If you typically stay on one system, then either method of locking the terminal can be used. To configure the TMOUT variable, edit the .profile file as shown in the following: # vi ~/.profile export TMOUT=600 # (lock after 600 seconds of inactivity) You can change the 600 to another desired value. 2.8.3.
• • • • • Keep telephone numbers for modems unlisted and on a different system from other business phones. Do not publicize the dial-in phone numbers. Physically secure the modems. Use caller ID to identify all incoming calls to the modems. Do not allow call forwarding or other extra phone services on the modem lines. Do not use cell phone modems. For remote and local access, consider installing an HP-UX AAA server product.
2.10 Securing Login Banners Login banners are often used to display such system information as the system name, release version, and purpose of the system. This information can help an unauthorized user to learn more about the system. Following are some guidelines for creating more secure login banners: • • • Consult the legal department to determine an appropriate message. Add a warning to the banner message prohibiting unauthorized use.
2.11 Protecting the root Account Following are suggestions for protecting the root account: • Do not share the root password. • Do not use / as the root home directory. • Examine output from last -R and lastb -R for unusual or failed root logins and to see who has logged in as root. • Examine /var/adm/sulog for attempts to use the su root command. • Look for unauthorized accounts with a UID of zero (0); use the logins -d command. The following sections discuss how to protect the root account in more detail.
# smh -r When users with restricted access execute SMH, they will have superuser status in the defined areas and will only see those SMH areas in the menu. All other areas of SMH will be hidden from the user. When users without access permissions execute SMH, they will receive an error message stating they must be superuser. You can also add more applications to SMH and set them up for restricted access. 2.11.
3 HP-UX Standard Mode Security Extensions This chapter describes the HP-UX Standard Mode Security Extensions (HP-UX SMSE). The following topics are discussed: • Overview (Section 3.1) • Security attributes and the user database (Section 3.2) 3.1 Overview HP-UX Standard Mode Security Extensions (HP-UX SMSE) is a group of features that enhances both user and operating system security. HP-UX SMSE includes enhancements or changes to the HP-UX auditing system, passwords, and logins for systems in standard mode.
• • Usage of the userdbset command can be restricted based on a user’s authorizations. See userdbset(1M) for more information. The userstat command displays the account status of local users. It checks the status of local user accounts and reports abnormal conditions, such as account locks. See userstat(1M) for more information. 3.2 Security Attributes and the User Database Previously, in standard mode, all HP-UX security attributes and password policy restrictions were set on a systemwide basis.
2. To change a systemwide default, edit the /etc/default/security file with a text editor such as vi. Comments begin with a pound sign (#). Attributes are written in attribute=value format. For example, to set the systemwide minimum number of uppercase characters in a password to two (2), enter the following values into /etc/default/security: PASSWORD_MIN_UPPER_CASE_CHARS=2 NOTE: Changes to systemwide security attributes do not take effect immediately.
Table 3-3 User Attributes Attribute Description ALLOW_NULL_PASSWORD Allows or denies login with a null password. AUDIT_FLAG Audits or stops auditing the user. AUTH_MAXTRIES Defines the number of login failures allowed before a user is locked out of the system. DISPLAY_LAST_LOGIN Displays information about the user's last login. LOGIN_TIMES Restricts login time periods. MIN_PASSWORD_LENGTH Defines the minimum password length.
3.2.4 Configuring Attributes in the User Database In previous HP-UX systems, security attributes and password policy restrictions were set a systemwide basis. With HP-UX SMSE, you can configure some security attributes on a per-user basis. Attributes configured per-user override systemwide configured attributes. To modify a user's attribute values, follow these steps: 1. Decide which users to modify and which attributes will apply to them.
4 Remote Access Security Administration HP-UX provides several remote access services, such as file transfer, remote login, remote command execution, management of IP addresses and network clients, routing protocols, mail exchange, network services, and a security mechanism spawned by inetd, the Internet super daemon. This • • • • • • chapter discusses the following topics: Overview of internet services and remote access services (Section 4.1) The inetd Daemon (Section 4.
Table 4-1 Internet Services Components and Access Verification, Authorization, and Authentication (continued) Internet Services Component Access Verification, Authorization, or Authentication Mechanism rlogin (remote login) Password verification or entry in $HOME/.rhosts or /etc/hosts.equiv file. Also can use Kerberos authentication mechanism defined in /etc/ inetsvcs.conf. See rlogin(1). telnet (remote login using Password verification.
4.1.2 Securing Anonymous ftp If a $HOME/.rhosts file is put into /home/ftp, then an unauthorized user could use rlogin to log in as the user, ftp. The .rhosts file specifies hosts and users that are allowed access to a local account using rcp, remsh, or rlogin without a password. For more information, see hosts.equiv(4).
4.1.4 Other Security Solutions for Spoofing Spoofing is a method of pretending to be a valid user or host to gain unauthorized access to a system. Because IP addresses and hostnames can be spoofed, using the /var/adm/inetd.sec security file for inetd (the internet daemon) is not a guaranteed security solution. See Section 4.2 for information about inetd.
The inetd daemon is usually started automatically by the /sbin/init.d/inetd script as part of the boot process. The inetd daemon monitors for connection requests for the services listed in the /etc/ inetd.conf configuration file, and spawns the appropriate server on receiving a request. In other words, users connect to remote systems by using an Internet Service, such as telnet. The inetd daemon determines if a telnet connection from the host is allowed before completing the connection.
• • • Internet Assigned Numbers Authority (IANA) at http://www.iana.org. Verify that the port numbers listed for Internet Services match port numbers registered with IANA. Comment out unnecessary services, such as finger, in /etc/inetd.conf. The finger command displays user information without needing a password. Comment out Remote Procedure Calls (RPC) services in /etc/inetd.conf. Comment out inetd "internal trivial" services in /etc/inetd.conf to avoid denial-of-service attacks.
When you enable TCP Wrappers, inetd runs a TCP wrapper daemon, tcpd, instead of running the requested service directly. The TCP Wrappers work as follows: 1. 2. 3. 4. 5. Clients send connection requests to inetd as they normally do, for example, telnet. Instead of invoking the server process, inetd calls the TCP Wrapper daemon (tcpd). The TCP Wrapper daemon determines the validity of the client's connection request. The tcpd daemon logs the request and checks the access control files (/etc/ hosts.
sis(5), kinit(1), klist(1), kdestroy(1M), krbval(1M), k5dcelogin(1M), inetsvcs_sec(1M), and inetsvcs(4). When you run SIS commands, the security is enhanced because you no longer have to transmit a password in readable form over the network. NOTE: The SIS libraries do not encrypt the session beyond what is necessary to authorize you or to authenticate the service. Therefore, these services do not provide integrity checking or encryption services on the data or on remote services.
5. 6. Maintain consistency of user name, uid, and gid among password files in the administrative domain. Maintain consistency among any group files on all nodes in the administrative domain. For example, to check consistency with the hq and mfg systems, if the root file system of the mfg system is remotely mounted to hq as /nfs/mfg/, enter the following diff command: $diff /etc/group /nfs/mfg/etc/group If any differences are displayed, the two /etc/group files are inconsistent and they should not be. 4.
4.6 Securing Remote Sessions Using HP-UX Secure Shell (SSH) HP-UX Secure Shell is based on the OpenSSH product, an open source SSH product (http://www.openssh.org). It enables a secure connection between a client and a remote host over an otherwise insecure network. Following are the key attributes of this secure connection: • • • Strong authentication for both client and the remote host. Strong encryption and public key cryptography for communication between a client and the remote host.
can be redirected to an sshd server over a secure channel, and the sshd server can then forward the traffic to a designated port on the real server machine. • Integration with underlying HP-UX security features. The HP-UX Secure Shell product is integrated with important HP-UX security features. For more information, see Section 4.6.7. 4.6.2 Software Components of HP-UX Secure Shell HP-UX Secure Shell software consists of a set of client and server components. See Table 4-2.
Table 4-2 Software Components of HP-UX Secure Shell (continued) Component Description Location Equivalent non-secure component(s) ssh-keyscan Tool for a client to gather the public keys for Client a set of hosts running the Secure Shell daemon (sshd) Not applicable ssh-keysign Tools to generate the digital signature required Client during host based authentication is and it is used by ssh() to access the local host keys host based authentication Not applicable 4.6.
4.6.3.2 Running the sftp Client The sftp client application causes the sftp client process to spawn the ssh client, and then communicates with it using a UNIX pipe. The ssh client then establishes a socket connection with the sshd server. The rest of the server interaction is similar to the ssh client case described in Section 4.6.3.1. The difference is that instead of spawning a shell to execute the remote command, the child sshd process spawns the sftp-server process.
NOTE: Privilege separation is the default configuration for HP-UX Secure Shell. You can turn off privilege separation by setting UsePrivilegeSeparation NO in the sshd_config file. Because of the potential security risk, turn off privilege separation only after careful consideration. 4.6.
directory. When a client connects with an sshd daemon, it presents its credentials at connection time. The server matches these credentials with its copy of credentials for this specific user. Also, the server can optionally establish the legitimacy of the client's host environment. For more information, see gssapi(5), kerberos(9) and the HP-UX Kerberos Data Security documentation: www.hp.com/go/hpux-security-docs Click HP-UX Kerberos Data Security Software. 4.6.5.
HP-UX Secure Shell is fully integrated with PAM modules available on the server system. For this purpose, the /opt/ssh/etc/sshd_config file carries a UsePAM configuration directive. If set to YES, any password authentication request from the client causes sshd to look at the PAM configuration file (/etc/pam.conf). Password authentication is then done through the configured PAM modules, in sequence, until successful. For more information on PAM authentication, see pam.conf(4).
• Shadow passwords HP-UX Secure Shell is integrated with the HP-UX shadow password feature. For more information, see shadow(4). • Control system log (syslog) HP-UX Secure Shell uses syslog to write important messages. For more information, see syslog(3C) and syslogd(1M). • Audit logging HP-UX Secure Shell has implemented audit logging (in trusted mode) in its own code. For more information, see audit(5). 4.6.
4.6.11 chroot Directory Jail chroot is a directory jail. It starts up an application in a specified directory and restricts users to accessing that directory and the directories below it. It prevents users from changing directories above that specified directory. It is intended to restrict file and directory access to users of that application while they are using the application. You must enable chroot for an application.
Part II Protecting Data HP-UX 11i offers data protection in many forms: protecting data in transit, in use, and at rest. By using security features designed to protect data in its three forms, HP-UX 11i customers can minimize possible breaches not only in terms of data loss, but in customer trust as well.
5 File System Security This chapter explains file system security. Before you read this chapter, you should have a basic understanding of files and file systems. Because data is stored in files, it is important to understand how to protect them. This chapter discusses the following topics: • Controlling file access (Section 5.1) • Setting access control lists (Section 5.2) • Using HFS ACLs (Section 5.3) • Using JFS ACLs (Section 5.4) • Comparison of JFS and HFS ACLs (Section 5.5) • ACLs and NFS (Section 5.
The r permission allows users to view or print the file. The w permission allows users to write (modify) the file. The x permission allows users to execute (run) the file or to search directories. Figure 5-1 shows the traditional permissions fields. Figure 5-1 File and Directory Permission Fields permission owner group others rwx rwx rwx r read w write x execute The user/owner of a file or directory is generally the person who created it.
By default, the initial set of read and write permissions for files and directories are determined by the creator's umask value. To change the default file permissions, use the umask command. See umask(1). Each bit that is set in the file mode creation mask causes the corresponding permission bit in the file mode to be cleared (disabled). Conversely, bits that are clear in the mask allow the corresponding file mode bits to be enabled in newly created files.
and then deleting and recreating a new file with modified content, but the same name. In most cases, the application is unaware of the change and may unintentionally perform malicious acts on behalf of the attacker. 5.1.4 Protecting Files Related to User Accounts Follow these guidelines to protect files related to user accounts: • • • • A home directory should not be writable by anyone except for the owner. Otherwise, any user can add and remove files from the directory. The .profile, .kshrc, .
• • A file or files were placed in a directory that now has a file system mounted to it. The files still exist but are not accessible. Unmount the file system to access the files. The file protection or ownership is preventing access. Use the chmod or chown command to change file permissions. 5.2 Setting Access Control Lists Access control lists (ACLs) offer a finer degree of file protection than traditional file access permissions.
IMPORTANT: You must use chmod with the -A option when working with files that have HFS ACL permissions assigned. Without the -A option, chmod will delete the ACL permissions from the file. The syntax is: # chmod -A mode file The chacl command is a superset of the chmod command. Any specific permissions you assign with the chacl command are added to the more general permissions assigned with the chmod command. When a file has ACLs, the ll command displays a plus sign (+) after the permission string.
Example 5-1 Creating an HFS ACL In this example, the chmod command restricts write permissions for myfile to only the user, allan. The chmod command also deletes any previous HFS ACLs. $ chmod 644 myfile $ ll myfile -rw-r--r-1 allan users 0 Sep 21 16:56 myfile $ lsacl myfile (allan.%,rw-)(%.users,r--)(%.%,r--) myfile The lsacl command displays just the default (no ACL) values, corresponding to the basic owner, group, and other permissions.
Table 5-2 HFS ACL Commands Commands Description chacl Changes HFS ACLs of files. getaccess Lists user's access rights to files. lsacl Lists HFS ACLs of files. Table 5-3 HFS ACL System Calls System Call Description getaccess Gets a user's effective access rights to a file. getacl, fgetacl Gets HFS ACL information. setacl, fsetacl Sets HFS ACL information. acltostr Converts HFS ACL structure to string form. chownacl Changes the owner or group represented in an HFS file's ACL.
Table 5-4 Commands and Calls Affecting ACL Entries (continued) Command or Call Description mailx Does not support optional ACL entries on /var/ mail/* files. compact, compress, cp, ed, pack, unpack Copies ACL entries to the new files they create. frecover, fbackup Use only these commands to selectively recover and back up files. Use the -A option when backing up from an ACL system for recovery on a system that does not support ACLs.
other entry for the other group permissions. Additional entries can be added by the user, or as a result of default entries specified on the parent directory. 5.4.3 Minimal JFS ACL An ACL with the four basic entries defined previously is called a minimal JFS ACL. An example minimal ACL looks like this: user::rwgroup::r-class:r-other:--- • • • The user entry indicates the permissions of the owner of the file and maps directly to the owner permission bits.
are distinct. The owning group entry grants permissions to a specific group: the owning group. The class entry is more general; it specifies the maximum permissions that can be granted by any of the additional user and group entries. If a particular permission is not granted in the class entry, it cannot be granted by any ACL entries except for the first user (owner) entry and the other entry. Any permission can be denied to a particular user or group.
5.4.8 Example of Changing a Minimal JFS ACL To illustrate the function of the JFS ACL class entry, this section describes how chmod and setacl affect a file with a minimal JFS ACL and a file with group class entries. NOTE: Further details about the use of the getacl and setacl commands are in Section 5.4.10. Refer also to getacl(1) and setacl(1). Consider a file, exfile, with read-only (444) permissions and a minimal JFS ACL.
group:dev:r-x class:rwx other:rw- Next, the chmod command removes write and execute permission from group, and actually reduces the class permissions to read-only. The owning group permissions, while unchanged, are effectively reduced to read-only as well. $ chmod g-wx exfile $ getacl exfile # file: exfile # owner: jsmith # group: users user::rwuser:guest:r-group::rw# effective:r-group:dev:r-x # effective:r-class:r-other:rw- The other permissions are unchanged.
For example, if you want any files created in the directory projectdir to be readable by certain users, you can create the appropriate default entries, as follows: $ setacl -m d:u:boss:r,d:u:jjones:r,d:u:dev:r projectdir $ getacl projectdir # file: projectdir # owner: jsmith # group: users user::rwuser:boss:rwuser:jjones:rwuser:jdoe:--group::rwgroup:dev:rwclass:rwother:--default:user:boss:r--default:user:jjones:r-default:group:dev:r-- If the newly created file is a directory, the same ACL entries are gener
Edit the file so that it appears as follows: $ cat junk.acl # file: junk # owner: user1 # group: group1 user::rwuser:user2:rwuser:user3:rwuser:user4:--user:user5:r-group::rwgroup:group2:rwgroup:group3:r-group:group4:--group:group5:rwclass:rwother:r-- Apply the ACL to the file using the setacl -f command: $ setacl -f junk.acl junk 5.4.10.3 Effective Permissions and setacl -n Normally, setacl recalculates the class entry to ensure that permissions granted in the additional ACL entries are granted.
not recalculated because -n was specified. If -n was not used, class would have been reset to class:rwx, and the effective comment would not be there. 5.5 Comparison of JFS and HFS ACLs JFS ACLs adhere to the POSIX ACL standard. JFS ACLs differ from HFS ACLs in both format (internal and external) and functionality. Functional differences between JFS and HFS ACLs include the following: • A JFS directory's ACL can have default entries, which are applied to files subsequently created in that directory.
5.6 ACLs and NFS The Network File System (NFS) has no facility to pass ACL information about remote files. Therefore, ACLs are not visible on remote files by NFS. The ls -l command will not show that ACLs exist on a remote file, but the ACL control over access permissions remains effective. Individual manpage entries specify the behavior of the various system calls, library calls, and commands under these circumstances.
• • Do not permit individual users to own a device special file other than for a terminal device or personal printer. Before putting a disk or other mountable device of unknown origin into service, check its files for device special files and setuid programs. See Section 5.9. 5.8 Protecting Disk Partitions and Logical Volumes A Logical Volume Manager (LVM) is a common disk management tool. LVM divides up the disk more easily than disk partitions, and the volumes can span multiple disks.
Observe the following precautions when mounting a file system or disk: • Create a mount point directory (such as /mnt) on which to mount a new file system. Never mount a file system on a directory that already contains files, because those files will become inaccessible. The mount point of a mounted file system acquires the permissions and ownership of the file system's root directory. • • • Set permissions and access control list entries on disk path names to control access to disks.
5.10 Controlling File Security on a Network From the perspective of security, networked systems are more vulnerable than standalone systems. Networking increases system accessibility, but also adds greater risk of security violations. Although you cannot completely control security over the network, you can control the security of each node on the network to limit penetration risk without reducing the usefulness of the system or user productivity.
5.10.2.1 Server Vulnerability Maintain server security by setting restrictive permissions on the /etc/exports file. Root privileges are not maintained across NFS. Thus, having root privileges on a client system does not provide you with special access to the server. The server performs the same permission checking remotely for the client as it does locally for its own users.
with setuid permission is owned by root, it will run with root permissions, regardless of who starts it.
6 Compartments This chapter describes the compartments feature of HP-UX 11i v3. This chapter addresses the following topics: • Overview (Section 6.1) • Planning the compartment structure (Section 6.2) • Compartment components (Section 6.3) • Compartment rules and syntax (Section 6.4) • Configuring a compartment (Section 6.5) • Troubleshooting compartments (Section 6.6) • Using discover mode to generate initial compartment configuration (Section 6.7) • Compartments in HP Servicegard Clusters (Section 6.
parts of the system. The compartments on the system are configured so that the processes can access the resources they need.
• • The handler processes can communicate with the parent process, and with the recorder using IPC and signals. The network is isolated from the recorder and the parent process. This compartment configuration provides security for the file system and the recorder. Both are isolated by their compartments. Though the handler processes can communicate with the network, the network cannot be accessed by the recorder or the parent process. 6.1.
contain rules referring to compartments for another component. If you must remove a component, you can modify the compartment configuration more easily if the compartment configurations are kept separate. • Create a single compartment configuration file for each software component. This enables you to remove the compartment configuration easily if you remove the software from the system. You can also find all rules pertaining to the software component easily.
Table 6-2 Compartment Commands Command Description cmpt_tune Queries, enables, and disables the compartments feature. setfilexsec Sets security attributes of binary files, including the compartment attribute. getfilexsec Displays security attributes associated with binary executable files, including the compartment attribute. getprocxsec Displays security attributes of processes, including the compartment attribute. getrules Displays the compartment rules currently active in the kernel.
Table 6-3 Compartment Manpages (continued) Manpage Description getrules(1M) Describes getrules functionality and syntax. setrules(1M) Describes setrules functionality and syntax. vhardlinks(1M) Describes vhardlinks functionality and syntax. compartment_login(5) Describes the compartment login feature. pam_hpsec(5) Extended authentication, account, password, and session service module for HP-UX. 6.4 Compartment Rules and Syntax A compartment consists of a name and a set of rules.
system (Optional) Indicates that this compartment shares the ownership of network interfaces with default compartments, such as the init compartment, and other compartments that are marked as system compartments. The ownership of network interfaces are typically specified by network interface rules.
In the following example, the ifaces compartment shares the ownership of lan0 and lan1 with the init compartment. The init compartment will be in favor of using lan0 and lan1 for network communications, over using the network interfaces that are owned by other compartments. system compartment ifaces { interface lan0 interface lan1 } NOTE: The INIT compartment name is not case sensitive. INIT, init, and Init are all treated as the same compartment by the system.
the compartment not only to lookup in the directory (see the nsearch parameter), but also to list contents of the directory. Similar to the nsearch parameter, this access control is not inherited. Therefore, even if a directory is searchable and readable, any directory or file underneath it is not searchable or readable unless it is explicitly allowed. The nread keyword is valid only if the HP-UX ContainmentPlus product is installed on the system.
object is associated with a process, the object exists in the same compartment as the process that created it. You define compartment rules to describe the relationship between the process accessing the object and the object being accessed. When the rule describes two processes communicating with each other, you treat the second process as an object. The default behavior for IPC objects is that all operations between different compartments are prohibited unless explicitly allowed by a rule.
effect when the cmpt_restrict_tl tunable is set to 1. See t_open(3), t_connect(3), and cmpt_restrict_tl(5). compartment_name The name of the other compartment where processes in this compartment can communicate with. When multiple IPC rules are defined for the same compartment, the rules will be aggregated. That is, the union of the IPC mechanisms is taken.
communications, the subject and target compartments should be of the processes that are communicating and not that of the interface being used for communication. Each rule is specified by protocol (TCP, UDP, or any raw protocol number) and the target compartment, and can optionally filter based on local or peer port numbers (TCP and UDP only). If an explicit rule does not match a communication attempt, the default is to deny communication.
• • rule. For UDP and RAW, this rule applies to all inbound packets. client: This rule applies outbound requests only. For TCP, only connection initiations are controlled by this rule. For UDP and RAW, this rule applies to all outbound packets. bidir: This rule applies to both inbound and outbound requests. For TCP, connections initiated and received by the endpoint are controlled by this rule. For UDP and RAW, this rule applies to all packets passing through the endpoint.
grant server tcp port 80 lan1cmpt The network rules control how a process can communicate on a given port and interface, as well as how the process can bind to a port or address. In other words, the network rules are enforced at the time a communication takes place, and when a process calls the bind routine. The multibind facility enables processes to attach to IFADDR_ANY on a specific port in different compartments having disjoint set of interface rules.
NOTE: When APA is used in LAN MONITOR mode, the following rules must be met: • The primary interface, lan0, must be assigned to the proper compartment. • The secondary interface, lan1, is either not assigned to any compartment or is assigned to the same compartment as lan0. • The aggregate interface, lan900, is either not assigned to any compartment or is assigned to the same compartment as lan0. HP recommends that you leave lan900 unassigned in case APA changes the naming scheme.
6.5 Configuring Compartments This • • • • section discusses the following topics: Activating compartments (Section 6.5.1) Defining a compartment configuration (Section 6.5.2) Running an application in a compartment (Section 6.5.3) Login directly in a compartment (Section 6.5.4) 6.5.1 Activating Compartments To activate compartment rules on the system, follow these steps: 1. Plan the compartment rules. See Section 6.2 for more information.
See Section 6.5.2.2 for more information about the implications of changing the name of a compartment. You can add new compartment rules, delete unneeded rules, and modify existing rules. You can also change the names of existing compartments. The application containment wizard, contain, can be used to simplify this configuration process. See compartment_login(5) for more information. To following sections describe how to modify compartment configuration. 6.5.2.1 Changing Compartment Rules 1. 2.
• The setfilexsec command to configure the compartment attribute of a binary file. For example, to configure the application apple into the compartment fruit, enter the following command: # setfilexsec -c fruit apple • HP-UX RBAC,see Section 8.5.5. 6.5.4 Login Directly to a Compartment The compartment login configuration enables users and administrators to login directly to a compartment.
1. Execute the following command: # vhardlinks If the output shows an inconsistency, go on to step 2. 2. Modify the rules to remove the inconsistency. Follow the procedure described in Section 6.5.2. Problem 4: Network server rules do not appear in getrules output. Solution: Because of the way rules are managed internally, network server rules for a given compartment can be listed in the target compartment output of the getrules command.
6.8 Compartments in HP Serviceguard Clusters If you use compartments with HP Serviceguard, you must configure all Serviceguard daemons in the default INIT compartment. However, you can configure Serviceguard packages in other compartments. See the latest editions of Managing Serviceguard and Using Serviceguard Extension for RAC for daemons required in Serviceguard and Serviceguard extensions for Oracle Real Application Cluster (RAC). Serviceguard packages can belong to specific compartments.
NOTE: If a standby interface is configured in a compartment, running the setrules command applies this compartment to the standby interface even if it has been successfully switched from a primary interface. If the configured standby interface compartment does not match the primary interface compartment, the primary interface compartment is overwritten when you run setrules. This can cause security violations.
7 Fine-Grained Privileges This chapter describes the fine-grained privileges feature of HP-UX 11i . This chapter addresses the following topics: • Overview (Section 7.1) • Fine-grained privileges components (Section 7.2) • Available privileges (Section 7.3) • Configuring applications with fine-grained privileges (Section 7.4) • Security implications of fine-grained privileges (Section 7.5) • Fine-grained privileges in HP Serviceguard Clusters (Section 7.
Table 7-1 Fine-Grained Privileges Commands Commands Description setfilexsec Sets security attributes of binary files. The attributes include retained privileges, permitted privileges, compartment, and the privilege start flag. getfilexsec Displays security attributes associated with binary executable files. The attributes include retained privileges, permitted privileges, compartment, and security attribute flags. getprocxsec Displays security attributes associated with a running processes.
Table 7-3 Available Privileges (continued) Privilege Description PRIV_CHROOT Allows a process to change its root directory. PRIV_CHSUBJIDENT Allows a process to change its UIDs, GIDs, and group lists. Also allows a process to leave the suid or sgid bits set on the file when the chown() system call is used. PRIV_CMPTREAD Allows a process to open a file or directory for reading, executing, or searching, bypassing compartment rules that otherwise would not permit these operations.
Table 7-3 Available Privileges (continued) Privilege Description PRIV_LIMIT Allows a process to set resource and priority limits beyond the maximum limit values. PRIV_LOCKRDONLY Allows a process to use the lockf() system call to lock files opened with read-only permission. PRIV_MKNOD Allows a process to create character or block special files using the mknod() system call. PRIV_MLOCK Allows a process to access the plock system call.
Table 7-3 Available Privileges (continued) Privilege Description PRIV_RDEVOPS Allows the process to do device administrative operations that are non-pseudo terminal specific. This privilege is valid only when the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system. PRIV_REBOOT Allows a process to perform reboot operations. PRIV_RTPRIO Allows a process to access the rtprio() system call. PRIV_RTPSET Allows a process to control RTE psets.
PRIV_CORESYSATTR and PRIV_HOSTATTR. The PRIV_MOUNT privilege is divided into PRIV_FSMOUNT and PRIV_SWAPCTL. The PRIV_DEVOPS privilege is divided into PRIV_RDEVOPS and PRIV_PTYOPS. This new privilege model allows applications, when explicitly developed to be aware of HP-UX privileges (see privileges(5)), to have finer control over the administrative capabilities that were controlled by the PRIV_SYSATTR, PRIV_MOUNT and PRIV_DEVOPS privileges.
TIP: HP recommends you use HP-UX RBAC to configure applications that require variable privileges to run. NOTE: Some of the fine-grained privileges are divided into more granularity. If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system, the PRIV_SYSATTR , PRIV_MOUNT, and PRIV_DEVOPS privileges are each divided into two privileges. By using the new privileges, a process can now allow a subset of the operations while disallowing the other.
7.4.1 Privilege Model Each process has three privilege sets associated with it: • Permitted Privilege Set The maximum set of privileges a process can raise. The process can drop any privilege from this set, but cannot add any privileges to this set. Privileges from this set can be added to the effective privilege set of the process. • Effective Privilege Set The set of currently active privileges for a process.
The following are compound privileges: • BASIC Basic privileges available to all processes by default. Processes may drop one or more privileges from this set. • BASICROOT Basic and privileges and privileges that provide powers usually associated with UID=0. • POLICY Policy override privileges and policy configuration privileges. Policy override privileges override compartment rules. Policy configuration privileges control how privileges are configured.
7.7 Troubleshooting Fine-Grained Privileges If something is not working on the system and you suspect the problem is occurring because of fine-grained privileges, you can check the fine-grained privileges configuration as follows. Problem 1: Even though fine-grained privileges are assigned to a binary file, processes that use exec() to access the binary are not receiving the assigned fine-grained privileges. Solution: Check for one of the following situations.
Part III Protecting Identity In modern day global enterprise companies, managing identity is not an easy task, especially as identity management requirements grow to include employees, contractors, partners and suppliers across many countries with various privacy protection laws and regulation. HP-UX 11i simplifies user authentication and access management, while auditing all privileged actions that take place.
8 HP-UX Role-Based Access Control The information in this chapter describes HP-UX Role-Based Access Control (HP-UX RBAC). This chapter addresses the following topics: • Overview (Section 8.1) • Access control basics (Section 8.2) • HP-UX RBAC components (Section 8.3) • Planning the HP-UX RBAC deployment (Section 8.4) • Configuring HP-UX RBAC (Section 8.5) • Using HP-UX RBAC (Section 8.6) • Troubleshooting HP-UX RBAC (Section 8.7) 8.
HP-UX RBAC offers the following features: • • • • Predefined configuration files specific to HP-UX, for a quick and easy deployment Flexible re-authentication via Plugable Authentication Module (PAM), to allow restrictions on a per command basis Integration with HP-UX audit system, to produce a single, unified audit trail Pluggable architecture for customizing access control decisions 8.
Table 8-1 Example of Authorizations Per User (continued) Operation Component of Authorization Users hpux.network.nfs.stop • hpux.network.nfs.config • hpux.fs.backup • • hpux.fs.restore • • NOTE: Table 8-1 shows only the operation element of the authorizations—not the object element of the authorizations. 8.2.
Table 8-2 Example of Authorizations Per Role (continued) Operation Component of Authorization Role hpux.user.delete • • hpux.user.modify • • • hpux.user.password.modify hpux.network.nfs.start • • hpux.network.nfs.stop • • hpux.network.nfs.config • • hpux.fs.backup • • hpux.fs.restore • • NOTE: Table 8-2 shows only the operation element of the authorizations—not the object element of the authorization. 8.
SMH integration RBAC System Management Homepage (SMH) integration to allow the graphical management of the RBAC databases through a Web interface. The following sections discuss the HP-UX RBAC components in more detail. 8.3.
Table 8-3 HP-UX RBAC Configuration Files (continued) Configuration File Description /etc/acps.conf Configuration file for the ACPS. /etc/rbac/aud_filter Audit filter file identifying specific HP-UX RBAC roles, operations, and objects to audit. 8.3.3 HP-UX RBAC Commands Table 8-4 lists and briefly describes the HP-UX RBAC commands.
Table 8-5 HP-UX RBAC Manpages (continued) Manpage Description authadm(1m) Describes authadm functionality and syntax. cmdprivadm(1m) Describes cmdprivadm functionality and syntax. rbacdbchk(1m) Describes rbacdbchk functionality and syntax. privsh(5m) Overview of various privileged system shells. rbac.conf(4m) Configuration file for Role Based Access Control. key_filter(4m) Configuration file for the keystroke logging module. 8.3.
Figure 8-1 HP-UX RBAC Architecture /usr/sbin/ cmdprivadm privrun Command, Auth Privilege Database privedit PAM, Name Service Switch access - control aware application access - control aware application AC PS AP I Access Control Policy Switch (ACPS) PAM Service Modules User Information (for example /etc/passwd ) AC P S SP I Other Policy ACPM Local RBAC ACPM KEY : Privilege Wrapper Command s Access Control Switch Valid System Roles User Role Database Role Authorization Database Valid System A
Figure 8-2 Example Operation After Invoking privrun Authorizations Users MANY:MANY Roles /etc/rbac/user_role Operations 1:1 MANY:MANY Objects /etc/rbac/role_auth AC PS cmd, args, UID S ACP via via Process (shell ) MANY:MANY 4 Cmd, Privs /etc/rbac/cmd_priv 3 Drop all but defined privs Privrun 2 Command w/ Privileges 5 1 1. 2. 3. 4. 5. A process, specifically a shell, associated with the user executes privrun with the goal of executing a target command with elevated privilege.
8.4.1 Planning the Roles Planning an appropriate set of roles for the users of a system is a critical first step in deploying HP-UX RBAC. In some enterprises, this set of roles already exists, and you can reuse it when configuring HP-UX RBAC. More commonly, you must design the roles based on the existing tasks associated with administrative users on the system.
# grep hpux.user. /etc/rbac/cmd_priv /usr/sbin/pwgrd:dflt:(hpux.user.cache.admin,*):0/0// :dflt :dflt :dflt : /usr/sbin/userdel:dflt:(hpux.user.delete,*):0/0// :dflt :dflt :dflt : /usr/sbin/groupdel:dflt:(hpux.user.group.delete,*):0/0// :dflt :dflt :dflt : /usr/sbin/useradd:dfl:(hpux.user.add,*):0/0//:dflt:dflt:dflt: /usr/sbin/usermod:dflt:(hpux.user.modify,*):0/0// :dflt :dflt :dflt : /usr/sbin/groupadd:dflt:(hpux.user.group.add,*):0/0// :dflt :dflt :dflt : /usr/sbin/groupmod:dflt:(hpux.user.group.
— You cannot run privedit on a file that is restricted by a compartment definition. — To provide a different application with fine-grained privileges, the privrun command must be running with those same privileges it wants to provide to the application. By default, privrun is configured to run with all privileges (see getfilexsec(1M) for more information). However, sometimes this default privilege set may be restricted.
Table 8-6 Example Planning Results Users Roles Authorizations Typical Commands (Note: Objects Assumed to Be *) chandrika, UserOperator rwang hpux.user.* /usr/sbin/useradd hpux.security.* /usr/sbin/usermod bdurant, prajessh NetworkOperator hpux.network.* /sbin/init.d/inetd luman Administrator hpux.* /opt/customcmd company.customauth 8.5.1 Configuring Roles Configuring roles for users is a two-step process: 1. 2. Create roles. Assign roles to users or groups. 8.5.1.
NOTE: See the roleadm(1m) manpage for more information. Following are two examples of the roleadm command adding new roles: # roleadm add UserOperator roleadm: added role UserOperator # roleadm add NetworkOperator roleadm: added role NetworkOperator NOTE: The default configuration files delivered with HP-UX RBAC contain a single preconfigured role: Administrator. By default, the Administrator role is assigned all HP-UX system authorizations (hpux.*, *) and is associated with the root user.
NOTE: HP-UX RBAC offers the ability to add a special user named DEFAULT to the /etc/rbac/user_role database. Assigning a role to the DEFAULT user means any user that does not exist on the system is assigned that role. 8.5.1.3 Assigning Roles to Groups HP-UX RBAC also enables you to assign roles to groups. You can use the roleadm command options that use the user value, such as roleadm assign user role and roleadm revoke user role to administer groups and roles.
The following is a list and brief description of the authadm command arguments: add Adds an authorization to the system list of valid authorizations in /etc/rbac/auths. delete Deletes an authorization from the system list of valid authorizations in /etc/rbac/auths. assign Assigns an authorization to a role and adds an entry to /etc/rbac/role_auth. revoke Revokes an authorization from a role and updates /etc/rbac/role_auth.
|[re-auth=pam_service_name] |[flags=comma_separated_flags_list] cmdprivadm delete cmd=full_path_name_of_a_command | full_path_name_of_a_file |[op=operation]|[object=object] |[ruid=ruid]|[euid=euid] |[rgid=rgid]|[egid=egid] |[compartment=compartment_label] |[privs=comma_separated_privilege_list] |[re-auth=pam_service_name] |[flags=comma_separated_flags_list] The following is a list and brief description of the two main cmdprivadm command arguments: add Adds command (or file) authorization information to th
NOTE: See cmdprivadm(1M) for information on all of the cmdprivadm arguments. Most arguments are optional and are filled in with reasonable defaults if nothing is specified. NOTE: To modify an existing entry in the /etc/rbac/cmd_priv file, you must first delete the entry and then add the updated version back in. When you use cmdprivadm to delete entries, arguments act as filters. For example, specifying the cmdprivadm delete op=foo command removes all entries where the operation is foo.
BASICROOT compound privilege and that requires the (hpux.adm.mount, *) authorization: # cmdprivadm add cmd=/etc/mount op=hpux.adm.
NOTE: The privrun -p MOUNT /etc/mount command matches the BASICROOT privilege because the MOUNT simple privilege is part of the predefined BASICROOT compound privilege. See the privileges(5) manpage for more information about simple and compound privileges. IMPORTANT: The sequence of the entries in /etc/rbac/cmd_priv is important because privrun will execute according to the first explicit match it finds.
NOTE: Use only the cmdprivadm command to configure compartments for commands. Do not edit the /etc/rbac/cmd_priv database file without using cmdprivadm. To modify an existing entry in the /etc/rbac/cmd_priv file, you must first delete the entry and then add the updated version back in. When you use cmdprivadm to delete entries, arguments act as filters. For example, specifying the cmdprivadm delete op=foo command removes all entries in which the operation is foo.
-G Matches only those entries containing the real group ID (RGID) corresponding to the specified RGID or the RGID associated with the group name. -a Matches only those entries requiring the specified authorization. Authorization is defined as (operation, object) pairs in the /etc/rbac/cmd_priv database file. The specified authorization must exactly match the authorization present in the /etc/rbac/cmd_priv file—wildcards are not supported.
In some cases, this may not be ideal. For example, all users may be allowed to run the passwd command to change their own password but if a user administrator runs it, they need the privileges to change other users' passwords. If the entry for all the normal users is listed before the entry for the user administrators, it is executed first, and this might prevent the user administrators from running the more privileged version.
However, the editor recognizes and supports editor-specific environment variables if you set them before invoking privedit. Use a fully qualified file name as a privedit argument to identify which file to edit. If you do not use a fully qualified file name, privedit adds the current working directory to the beginning of the file name you specify. Regardless of how you specify the file to edit, all file names are fully qualified after you invoke privedit.
• which modules are consulted for making access decisions • the sequence in which the modules are consulted • the rules for combining module responses to return results to applications See Section 8.3.1, and acps.conf(4), acps(3), and rbac(5) for more information about the ACPS. 8.6.4 Generating Keystroke and Command Logs An authorized user can generate "keystroke logs" for selected users, as well as generate a log of commands invoked through RBAC without the need for the HP-UX audit system.
KEY_STROKE_LOGGING = 1 3. Create a keyfilter file under /etc/rbac specifying what users to log. For more information on customizing specific policies, see key_filter(4m). Once these steps are completed, subsequent access by the targeted users will cause a keystroke log file to be generated and stored in the location specified in /etc/rbac/rbac.conf file.
[/etc/rbac/cmd_priv] /opt/cmd:dflt:(newop,*):0/0//:dflt:dflt:dflt: invalid command: Not found in the system The value '/opt/cmd' for the Command field is bad. [Role in role_auth DB with no assigned user in user_role DB] Rebooter:(hpux.admin.*, *) [Invalid Role in user_role DB. Role 'UserOperator' assigned to user 'chandrika' does not exist in the roles DB] On a correctly configured system, the rbacdbchk command produces no output, indicating no errors are present. 8.7.
9 Audit Administration The purpose of auditing is to selectively record events for analysis and detection of security breaches. The audit data is recorded in log files. Thus, the auditing system acts as a deterrent against system abuses and exposes potential security weaknesses.
• • Self-auditing (Section 9.10) HP-UX RBAC auditing (Section 9.11) 9.1 Auditing Components The auditing feature of HP-UX 11i contains configuration files, commands, and manpages. These are listed in the following sections. 9.1.1 Commands Table 9-1 contains a brief description of each auditing command. Table 9-1 Audit Commands Command Description audevent Changes or displays event or system call status. audfilter Loads, clears, and displays the audit filtering policy.
9.1.3 Audit Manpages Table 9-3 contains a brief description of each manpage associated with the auditing feature. Table 9-3 Audit Manpages Manpage Description audevent(1M) Describes audevent functionality and syntax. audisp(1M) Describes audisp functionality and syntax. audomon(1M) Describes audomon functionality and syntax. audsys(1M) Describes audsys functionality and syntax. userdbset(1M) Describes userdbset functionality and syntax. audit.conf(4) Describes the /etc/audit/audit.conf file.
1. 2. Determine which users to audit. By default, all users are selected for auditing. Determine which events or system calls to audit. Use the audevent command to display a list of events and system calls that are currently selected for auditing. Events and system calls can be grouped into profiles. For more information on profiles, see Section 9.4. 3. 4. Decide where you want to place the audit log files (audit trails) on the system.
c. Set SEC_AUDFILE to the name of the auxiliary log file. d. Set SEC_SWITCH to the maximum size of the secondary audit log file (in KB). For more information about setting up primary and auxiliary audit log files, see Section 9.5. 6. Start the audomon daemon if it has not yet been started. The audomon daemon monitors the growth of the current audit trail and switches to an alternative audit trail whenever necessary. For example: #audomon -p 20 -t 1 -w 90 -X "/usr/local/bin/rcp_audit_trail hostname" 7. 8.
#audsys -f The audsys -f command lets you stop the system auditing while keeping the audomon daemon running. 4. (Optional) Set the AUDIT flag to 0 in the /etc/rc.config.d/auditing file to keep the auditing system from starting at the next system reboot. 9.2.5 Performance Considerations Auditing increases system overhead. When performance is a concern, be selective about what events and users are audited. This can help reduce the impact of auditing on performance. 9.2.
command userdbset -u user AUDIT_FLAG=1 or userdbset -d -u user AUDIT_FLAG for each of those users. By default, auditing is enabled for all users when the audit system is turned on. New users added to the system are automatically audited. If auditing is turned off for all users, set AUDIT_FLAG=1 in the /etc/default/ security file. • Do not audit any users. Perform the following steps to disable auditing for all users: 1.
events, and system calls) that affect a particular type of system. An event category consists of a set of operations (self-auditing events and system calls) that affect a particular aspect of the system. Once an event category or a profile is selected, all system calls and self-auditing events associated with the event category or profile are selected. When the auditing system is installed, a default set of event classification information is provided in the /etc/audit/audit.conf file.
To configure the events associated with the basic profile for auditing, use the following command: # audevent -P -F -r basic Both Audit Success and Audit Failure are set as event types for monitoring successful and failed events or system calls. Monitoring these three event categories is the minimum event type selection recommended for running a system. Generally, a record is written only if both the event is selected for auditing, and the user initiating the event has been selected for auditing.
NOTE: 1. With HP-UX 11i version 3, an auxiliary audit trail does not need to be specified; the auditing system does switching of audit trails automatically. 2. If autoswitching failed and the current audit trail continues to grow past the FSS point, all auditable actions are suspended for regular users. The system can be restored by archiving the audit data, or specifying a new audit log file on a file system with space. 3.
9.5.2 Monitoring and Managing Audit Trails The audit overflow monitor daemon (audomon) is used to monitor and manage audit trails. The audomon daemon is started automatically when auditing is started at system boot time (AUDITING=1 in /sbin/init.d/auditing). The audomon daemon can also be started by a privileged user. Once started, the audomon daemon monitors the capacity of the current audit trail and the file system it resides on.
-t sp_freq The minimum wakeup interval, in minutes, at which the system prints warning messages on the console for audit log file switch points. The default sp_freq value is 1 minute. -w warning The percentage of audit log file space used or minimum file system free space used after which warning messages are sent to the console. The default warning value is 90%. -X command The command is executed each time the audomon switches the audit trail. For more information, see audomon(1M). 9.
-P Displays audit filtering policy in preview mode as specified in the /etc/audit/filter.conf file. This option parses the /etc/audit/filter.conf file, checking for syntax and semantic errors, but makes no changes to the system. The rules will not be displayed the same way as they are written, but in the order they will be evaluated (that is, in the internal format). -s syscall Restricts the display to the given system call. This option must be used with the -p or -P option.
• • • • An Audit DPMS service module, audit_hpux_raw, that reads raw audit data collected by the HP-UX auditing system. An Audit DPMS service module, audit_hpux_portable, that handles audit data that is portable across HP-UX systems, and good for retention purpose. Also a sample script, audit_p2l, that demonstrates how to convert the portable data into syslog-like messages. An Audit DPMS service module, audit_hpux_xml, that converts audit data into XML format.
-m module[source] Read audit data from the source using the specified Audit DPMS service module. The source is the pathname of a file where to read the data. If the source is omitted, auditdp reads the audit data from the standard input. -n nevents Specify the number of events to display. If nevents is positive, process only the first nevents events. If nevents is negative, process only the last nevents events. If -n is not specified, all events are processed.
#auditdp -p portable -P portable2 -s "+event=login" • Extract exec events from a particular session and write to stdout: #auditdp -r /var/.audit/audit_trail -s "+sid=1234" -P | \ auditdp -p -s "+event=exec" or #auditdp -r /var/.audit/audit_trail -s "+sid=1234;+event=exec" 9.9 Viewing Audit Logs Auditing can generate a significant amount of data. Use the audisp command to select the data that you want to view: #/usr/sbin/audisp audit_trail NOTE: The audisp command will be obsolete in a future release.
a record will be produced for each event type and system call that has been enabled for audit, not just for the new event type being added. 9.9.
audevent Select events to be audited audisp Display the audit data audsys Start or halt the auditing system audusr Select users to be audited init Change run levels, users logging off lpsched Schedule line printer requests fbackup Flexible file backup ftpd File transfer protocol daemon remshd Remote shell server daemon rlogind Remote login server daemon telnetd Telnet server daemon privrun Invokes legacy application.1 privedit Allows authorized users to edit files.
to generate audit records. Audit records are generated only if the attributes of a process match all three entries (role, operation, and object) found in /etc/rbac/aud_filter. If a user's role and associated authorization are not found in the file or do not explicitly match, then no audit records specific to role-to-authorization are generated. Authorized users can edit the /etc/rbac/aud_filter file using a text editor and specify the role and authorization to be audited.
2. Configure the location and name of the audit output file and enable auditing on the system by using the following command: # audsys -n -c /tmp/aud.out -s 2048 3. Execute an HP-UX RBAC command, for example: # /usr/sbin/authadm add newauth 4. Open the audit output file and search for the records on the authadm command by using the following command: # audisp /tmp/aud.
A Trusted Systems This appendix describes how to set up and manage a trusted system. This appendix discusses the following topics: • Setting up a trusted system (Section A.1) • Auditing a trusted system (Section A.2) • Managing trusted passwords and system access (Section A.3) • Guidelines for trusted backup and recovery (Section A.4) NOTE: Trusted Systems has been depreciated. HP-UX 11i v3 is the last release that supports this product. A.
• • 5. 6. Turns on the audit flag for all existing users. Converts the at, batch, and crontab input files to use the submitter's audit ID. Verify that the audit files are on the system: 1. Use swlist -l fileset to list the installed file sets. Look for the fileset called SecurityMon, which contains the auditing program files. To reduce the listing, enter the following command:# swlist -l fileset | grep Security 2.
Security Administrator's Responsibilities The security administrator and every user on the system must share responsibility for password security. The security administrator performs the following security tasks: • Generates temporary passwords for new users. This password must be used for first login. When this number has been verified, the new user is prompted for a new password.
robin:*:102:99:Robin Hood,Rm 3,x9876,408-555-1234:/home/robin:/usr/bin/sh The 1. 2. 3. fields contain the following information (listed in order), separated by colons: User (login) name, consisting of up to 8 characters. (In the example, robin) Unused password field, held by an asterisk instead of an actual password. (*) User ID, an integer ranging from 0 to MAXINT-1, equal to 2,147,483,646 or 231 -2. (102) 4. Group ID, from /etc/group, an integer ranging from 0 to MAXINT-1. (99) 5.
• • • • • • • • • • • • • Time of last successful and unsuccessful password changes Absolute time (date) when the account will expire Maximum time allowed between logins before the account is locked Number of days before expiration when a warning will appear Whether passwords are user-generated or system-generated Password triviality check to prevent common words or well-known terms from being used as passwords Type of system-generated passwords Null passwords User ID of last person to change password, if
Lifetime The time at which the account associated with the password is locked if the password is not changed. Once an account is locked, only the system administrator can unlock it. Once unlocked, the password must still be changed before the user can log into the account. The expiration time and lifetime values are reset when a password is changed. A lifetime of zero specifies no password aging; in this case, the other password aging times have no effect. A.3.
• Last unsuccessful login time to the terminal • Number of consecutive unsuccessful logins before terminal is locked • Terminal lock flag Only superusers can access these trusted system databases and can set the entries using HP SMH. See devassign(4) and ttys(4). A.3.
• • • • • • • • • If all files must be backed up on schedule, request that all users log off before you perform the backup. However, fbackup warns you if a file is changing while the backup is being performed. Examine the log file of latest backups to identify problems occurring during backup. Set restrictive permissions for the backup log file. The frecover command allows you to overwrite a file. However, the file retains the permissions and ACLs set when the file was backed up.
B Other Security Products This appendix includes additional security products available for HP-UX, for the following three security categories: • “Protecting Systems” (page 199) • “Protecting Data” (page 200) • “Protecting Identity” (page 203) You can download these products for free from the HP Software Depot at: http://www.hp.com/go/softwaredepot B.
basic types of unauthorized system activity or security attacks frequently found on enterprise networks. • Provides notification in the event of suspicious activity that might precede an attack. By contrast, other intrusion detection systems rely entirely on an operator-instigated analysis of the system log files. Typically the operator analyses the system log files at the end of the day. This delay in the analysis of the attack provides considerable time to damage the system.
that must be managed. HP-UX Containers is a component of the Virtualization Continuum for HP-UX and offers high efficiency in resource utilization and performance. For more information, see the HP-UX Containers (SRP) documentation: www.hp.com/go/virtualization-manuals Click HP-UX Containers (SRP) Software. B.2.2 HP-UX Encrypted Volume and File System (EVFS) EVFS (Encrypted Volume and File System) is an application-transparent technology providing protection of data at rest.
B.2.5 HP-UX Secure Shell HP-UX Secure Shell uses hashing to ensure data integrity and provides secure tunneling features, port forwarding, and an SSH agent to maintain private keys on the client. HP-UX Secure Shell enables you to securely log into another system over a network, to execute commands on a remote system, and to move files from one system to another. HP-UX Secure Shell provides a set of commands that replace insecure commands such as rlogin, rsh, rcp, ftp, and telnet.
correct TPM chip. Procedures are provided for encrypted volume backup and configuration of ServiceGuard clustering when TCS keys are employed. • HP-UX SecureShell now contains support for utilization of TCS keys for servers establishing encrypted sessions with remote clients. This prevents a SecureShell server from being easily transferred to another platform. • With HP-UX OpenSSL, TCS key protection can be easily integrated into applications that rely on OpenSSL for cryptographic operations.
http://www.hp.com/go/hpux-security-docs Click HP-UX AAA Server (RADIUS) Software. B.3.2 HP-UX Directory Server A global directory service, HP-UX Directory Server (HPDS) provides an industry-standard, centralized directory service on which to build your intranet or extranet.
Glossary 3DES Triple Data Encryption Standard. A symmetric key block encryption algorithm that encrypts data three times, using a different 56-bit key each time (168 bits used for keys). 3DES is suitable for bulk data encryption. AAA server Authentication, Authorization, and Accounting server. An AAA server provides authentication, authorization, and accounting services of user network access at the entry points to a network.
certificate A security certificate associates (or binds) a public key with a principal—a particular person, system, device, or other entity. The security certificate is issued by an entity, in whom users have put their trust, called a Certificate Authority (CA), which guarantees or confirms the identity of the holder (person, device, or other entity) of the corresponding private key.
Diameter Base A protocol that provides authentication, authorization, and accounting (AAA) services based on the RADIUS protocol. The Diameter protocol provides the same functionality as RADIUS, with improved reliability, security and infrastructure. See also RADIUS. Diffie-Hellman A public-key method to generate a symmetric key where two parties can publicly exchange values and generate the same symmetric key.
will be used. IKE also manages the distribution and update of the symmetric (shared) encryption keys used by ESP and AH. See also ESP and AH. IPSec policy IPSec policies specify the rules according to which data is transferred securely. IPSec policies generally contain packet filter information and an action.
PAM Pluggable Authentication Module. An authentication framework that allows system administrators to configure services for authentication, account management, session management, and password management for HP-UX utilities, such as the system login utility. Perfect Forward Secrecy (PFS) With Perfect Forward Secrecy, the exposure of one key permits access only to data protected by that key. Pluggable Authentication Module See PAM.
A sends data with a digital signature, a digest or hash encrypted with system A's private key. To verify the signature, system B uses system A's public key to decrypt the signature and compare the decrypted hash or digest to the digest or hash that it computes for the message. SASL Simple Authentication and Security Layer. A protocol used to add authentication services to connection-based network applications.
VPN Virtual Private Network. A private network within a public network, such as the global Internet. A VPN is virtual because it uses tunnels to effectively create a separate logical network within a physical network. A VPN is private because outside users cannot see or modify the data being transmitted. VPNs that use host identity authentication also provide protection against IP address spoofing.
Index Symbols /dev special device file security considerations for, 103 /etc/d_passwd file controlling access using, 56 /etc/default/security, 25 /etc/dialups file controlling access using, 56 /etc/ftpd/ftpusers file changing access with, 69 /etc/group file, 194 /etc/inetd.sec file, 72 /etc/pam.conf file, 35 configuring systemwide with, 37 /etc/pam_user.
boot authentication using, 25 boot processs gaining, 24 booting preventing security breaches during booting, 23 btmp file tracking failed logins with, 33 C CA (certificate authority) defined, 205 CDE Lock Manager configuring, 55 CDE Login Manager logging in with, 32 Certificate Revocation List (CRL), 206 chfn, 194 chmod command changing file access permissions with, 88 effect on class entries, 97 chown, 27, 194, 198 chroot jail, 84 chsh, 194 cmdprivadm, 158 examples, 159 syntax, 158 command login, 193 swli
putspwent, 197 G getacl command viewing ACLs with, 97 getdvagent function, 197 getfilexsec command, 113, 132 getprdfent function, 197 getprocxsec command, 113, 132 getprpwent function, 197 getprtcent function, 197 getpwent function, 197 getspwent function, 197 group account managing, 31 group ID (gid), 194 GSS-API SSH, 80 guest account monitoring, 30 H HFS, 91 HFS ACL and NFS, 103 commands and calls that work with, 93 compared with JFS ACL, 102 setting, 91 High Performance File System See HFS, 91 history
security considerations for, 104 Logical Volume Manager See LVM, 104 login banners securing, 57 login command, 32, 193 login process explanation of, 32 login tracking file, 33 lost+found directory, 27, 198 LVM, 104 M MAC, 208 managing file access, 87 managing passwords, 41 minimum time password aging, 195 mobile connection securing, 56 modem access security guidelines for managing, 55 mounting a file system securely, 104 N network administration, 75 controlling file security, 106 managing an administrativ
putpwent function, 197 putspwent function, 197 R random number generator, 83 recovery security guidelines for, 26 remote access security guidelines for managing, 55 Remote Access Services, 67 overview of, 67 remote procedure call See RPC, 73 remote sessions securing using SSH, 76 reuse password, 196 roleadm, 155 examples, 156 syntax, 155 roles configuring, 155 default, 156 groups, 157 guidelines for creating, 152 root drawbacks of, 143 root access gaining, 24 monitoring, 58 reviewing, 59 using Restricted S
system access security guidelines for remote, 55 system administration auditing guidelines, 176 auditing users, 171 authenticating users during login, 31 authenticating users using PAM, 34 backup guidelines, 26 controlling file security on a network, 106 defining security attributes, 46, 62 installing HP-UX securely, 23 installing security patches, 26 managing an administrative domain, 74 managing passwords, 41 managing remote access, 55 managing setuid and setgid programs, 50 managing user access, 29 mount