HP-UX 11i v3 March 2012 Release Notes
Initial (February 2007) Release Notes, Chapter 8: “Security”
• New: HP-UX 11i Security Containment: Provides compartments, which isolate unrelated
resources on a system to prevent catastrophic system damage if one compartment is penetrated.
When configured in a compartment, an application (processes, binaries, data files and
communication channels used) has restricted access to resources outside its compartment.
Also provides fine-grained privileges, which allow you to grant privileges to processes needed
for the task and, optionally, only for the time needed to complete the task.
• HP-UX Auditing System: Enhanced in several ways, including: auditing subsystem is now
working without converting the system to trusted mode; standard mode audit user selection
information is stored in a per-user configuration user database; userdbset command specifies
which users are to be audited in standard mode; and several other enhancements.
• New: HP-UX Bastille: Although Bastille has been available on the Web (and on the HP-UX 11i
v2 OEs) for some time, it is now available, at version B.3.0.20, on the HP-UX 11i v3 OEs for
the first time for customers migrating from HP-UX 11i v1 and includes several enhancements.
• HP-UX Host Intrusion Detection System: Updated to release 4.0 with features including reducing
alert volume by aggregation; reducing alert volume by monitoring only critical files; configuring
critical users; supporting specification of usernames and user IDs; and measuring the event
rate.
• HP-UX IPFilter: Updated to version A.03.05.13 with defect fixes and enhancements including
filtering on X.25 interfaces, filtering on 10GigE interfaces; IPFilter not plumbed into the
networking stack by default; no reboot required to enable IPFilter.
• New: HP-UX IPSec: Previously only available on the AR media. Now delivered on the HP-UX
11i v3 Operating Environments. Provides an infrastructure to allow secure communications
(authentication, integrity, confidentiality) over IP networks between systems and devices that
implement the IPsec protocol suite.
• HP-UX Secure Shell: Updated to version A.04.40.005 with many new features including high
performance enabled SSH/SCP patch; configuration directives in the server; auth selection
patch; increase in the default size of RSA and DSA keys; delayed compression; and many
other features, as well as defect fixes.
• HP-UX Security Attributes Configuration tool (secweb): Updated to support long user name.
• New: HP-UX Standard Mode Security Extensions: Enhances the security of systems running in
standard mode by providing security features that were previously available only on systems
that had been converted to trusted mode.
• Install-Time Security: Adds a security step to the install/update process that allows you to run
the Bastille security lockdown engine during system installation with one of four configurations
ranging from default security to “DMZ.”
• Kerberos Client: Updated to version 1.3.5.03 with new features including support for powerful
cryptographic algorithms like 3DES, RC4, and AES; support for IPv6; support for TCP; and
defect fixes.
• OpenSSL: Updated to version A.00.09.08d.001 with support (in default version) for several
hardware ENGINES (see section for specifics); support for elliptic curve cryptography; and
EVP, the library of which provides a high-level interface to cryptographic functions. Other
provided versions include other features.
• PAM Kerberos: Enhanced to issue a warning if rc_host_0 is owned by anyone other than
root when a user tries to rlogin into a system; will also issue a warning if the keytable entry
is not found for the host service principal on the client but present at the KDC.
• New: Security Patch Check: Analyzes the currency of a system with respect to security bulletins.
Recommends actions for security vulnerabilities that have not been fixed by patches, updates,
or logged manual actions currently applied to the system.
84 What is new