Hp Ux Auditing System Extensions Administrators Guide Administrator's
2015-03-28
: Hp Hp-Hp-Ux-Auditing-System-Extensions-Administrators-Guide-669671 hp-hp-ux-auditing-system-extensions-administrators-guide-669671 hp pdf
Open the PDF directly: View PDF .
Page Count: 218
Download | |
Open PDF In Browser | View PDF |
HP-UX System Administrator's Guide: Security Management HP-UX 11i Version 3 HP Part Number: B3921-90059 Published: September 2011 Edition: 7 © Copyright 2011 Hewlett-Packard Development Company L.P Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this document, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty A copy of the specific warranty terms applicable to your Hewlett-Packard product and replacement parts can be obtained from your local Sales and Service Office. U.S. Government License Proprietary computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Trademark Notices UNIX® is a registered trademark in the United States and other countries, licensed exclusively through The Open Group. VERITAS® is a registered trademark of Symantec Corporation. Acknowledgments This product includes software developed by the Apache Software Foundation. This documentation is based on information from the Apache Software Foundation (http://www.apache.org). This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org). Table of Contents About this Document.................................................................................................................15 I Protecting Systems...................................................................................................................21 1 Installing the HP-UX Operating Environment Securely.............................................................23 1.1 Installation Security Considerations..................................................................23 1.2 Preventing Security Breaches During the Boot Process........................................23 1.3 Enable Login Security for root........................................................................24 1.4 Using Boot Authentication to Prevent Unauthorized Access.................................25 1.5 Setting Install-Time Security Options................................................................25 1.6 Installing Security Patches..............................................................................26 1.7 Postinstallation Security Tips for Backup and Recovery.......................................26 2 Administering User and System Security..............................................................................29 2.1 Managing User Access.................................................................................29 2.1.1 Monitoring User Accounts.......................................................................29 2.1.2 Monitoring Guest Accounts.....................................................................30 2.1.3 Creating Application User Accounts.........................................................30 2.1.4 Managing Group Accounts....................................................................31 2.2 Authenticating Users During Login..................................................................31 2.2.1 Explanation of the Login Process.............................................................32 2.2.2 Checking the login Tracking Files (btmp and wtmp)...................................33 2.2.2.1 Last Command Examples................................................................33 2.2.3 Checking Who Is Logged In...................................................................34 2.3 Authenticating Users with PAM.......................................................................34 2.3.1 Overview.............................................................................................34 2.3.2 PAM Libraries.......................................................................................36 2.3.3 Systemwide Configuration Using /etc/pam.conf.......................................37 2.3.4 Sample /etc/pam.conf File....................................................................38 2.3.5 The /etc/pam_user.conf User Configuration File.......................................39 2.3.6 Examples: How PAM Works for Login.....................................................39 2.4 Managing Passwords...................................................................................41 2.4.1 System Administrator Responsibilities.......................................................41 2.4.2 User Responsibilities.............................................................................41 2.4.3 Criteria of a Good Password..................................................................42 2.4.4 Changing the /etc/passwd Password File................................................42 2.4.4.1 Examples of passwd Commands.....................................................42 2.4.4.2 The /etc/passwd File Format..........................................................43 2.4.5 The /etc/shadow Shadow Password File.................................................43 Table of Contents 3 2.4.6 Eliminating Pseudo-Accounts and Protecting Key Subsystems in /etc/passwd................................................................................................45 2.4.7 Secure Login with HP-UX Secure Shell.....................................................46 2.4.8 Securing Passwords Stored in NIS...........................................................46 2.4.9 Securing Passwords Stored in LDAP Directory Server.................................46 2.5 Defining System Security Attributes.................................................................46 2.5.1 Configuring Systemwide Attributes...........................................................48 2.5.2 Configuring Per-User Attributes...............................................................48 2.5.2.1 Examples of Defining User-Specific Attributes with userdbset................49 2.5.2.2 INACTIVITY_MAXDAYS and the Shadow Password File......................49 2.5.3 Troubleshooting the User Database.........................................................49 2.6 Handling setuid and setgid Programs.............................................................50 2.6.1 Why setuid and setgid Programs Can Be Risky.........................................51 2.6.2 How IDs Are Set..................................................................................51 2.6.3 Guidelines for Limiting Setuid Power.......................................................51 2.7 Preventing Stack Buffer Overflow Attacks.........................................................52 2.8 Protecting Unattended Terminals and Workstations...........................................53 2.8.1 Controlling Access Using /etc/inittab and Run Levels................................53 2.8.2 Protecting Terminal Device Files..............................................................54 2.8.3 Configuring the Screen Lock...................................................................54 2.8.3.1 Configuring the TMOUT Variable....................................................54 2.8.3.2 Configuring the CDE Lock Manager................................................55 2.9 Protecting Against System Access by Remote Devices........................................55 2.9.1 Controlling Access Using /etc/dialups and /etc/d_passwd........................56 2.10 Securing Login Banners...............................................................................57 2.11 Protecting the root Account...........................................................................58 2.11.1 Monitoring root Account Access.............................................................58 2.11.2 Using the Restricted SMH Builder for Limited Superuser Access...................58 2.11.3 Reviewing Superuser Access..................................................................59 3 HP-UX Standard Mode Security Extensions...........................................................................61 3.1 Overview....................................................................................................61 3.2 Security Attributes and the User Database.......................................................62 3.2.1 System Security Attributes.......................................................................62 3.2.2 Configuring Systemwide Attributes..........................................................62 3.2.3 User Database Components...................................................................63 3.2.3.1 Configuration Files.........................................................................63 3.2.3.2 Commands..................................................................................63 3.2.3.3 Attributes.....................................................................................63 3.2.3.4 Manpages...................................................................................64 3.2.4 Configuring Attributes in the User Database.............................................65 3.2.5 Troubleshooting the User Database.........................................................65 4 Table of Contents 4 Remote Access Security Administration................................................................................67 4.1 Overview of Internet Services and Remote Access Services.................................67 4.1.1 Securing ftp..........................................................................................68 4.1.2 Securing Anonymous ftp.........................................................................69 4.1.3 Denying Access Using /etc/ftpd/ftpusers.................................................69 4.1.4 Other Security Solutions for Spoofing.......................................................70 4.2 The inetd Daemon.......................................................................................70 4.2.1 Securing inetd......................................................................................71 4.2.1.1 Denying or Allowing Access Using /var/adm/inetd.sec......................72 4.3 Protection Against Spoofing with TCP Wrappers..............................................72 4.3.1 Additional Features of TCP Wrappers......................................................73 4.3.2 TCP Wrappers Do Not Work with RPC Services.......................................73 4.4 Secure Internet Services................................................................................73 4.5 Controlling an Administrative Domain.............................................................74 4.5.1 Verifying Permission Settings on Network Control Files...............................75 4.6 Securing Remote Sessions Using HP-UX Secure Shell (SSH)................................76 4.6.1 Key Security Features of HP-UX Secure Shell.............................................76 4.6.2 Software Components of HP-UX Secure Shell...........................................77 4.6.3 Running HP-UX Secure Shell...................................................................78 4.6.3.1 Running the ssh Client....................................................................78 4.6.3.2 Running the sftp Client...................................................................79 4.6.3.3 Running the scp Client...................................................................79 4.6.4 HP-UX Secure Shell Privilege Separation..................................................79 4.6.5 HP-UX Secure Shell Authentication..........................................................80 4.6.5.1 GSS-API.......................................................................................80 4.6.5.2 Public Key Authentication...............................................................81 4.6.5.3 Host-Based and Public Key Authentication........................................81 4.6.5.4 Password Authentication................................................................81 4.6.6 Communication Protocols......................................................................82 4.6.7 HP-UX Secure Shell and the HP-UX System...............................................82 4.6.8 Associated Technologies.......................................................................83 4.6.9 Strong Random Number Generator Requirement......................................83 4.6.10 TCP Wrappers Support........................................................................83 4.6.11 chroot Directory Jail.............................................................................84 II Protecting Data......................................................................................................................85 5 File System Security..........................................................................................................87 5.1 Controlling File Access..................................................................................87 5.1.1 Setting File Access Permissions.................................................................88 5.1.2 Setting File Ownership...........................................................................89 5.1.3 Protecting Directories.............................................................................89 5.1.4 Protecting Files Related to User Accounts..................................................90 Table of Contents 5 5.1.5 Locating and Correcting File Corruption Using fsck....................................90 5.2 Setting Access Control Lists............................................................................91 5.3 Using HFS ACLs...........................................................................................91 5.3.1 HFS ACLs and HP-UX Commands and Calls.............................................93 5.4 Using JFS ACLs............................................................................................95 5.4.1 Definition of a JFS ACL..........................................................................95 5.4.2 How the System Generates a JFS ACL.....................................................95 5.4.3 Minimal JFS ACL..................................................................................96 5.4.4 Additional JFS ACL user and group Entries...............................................96 5.4.5 JFS ACL group and class Entries.............................................................96 5.4.6 Using the setacl and getacl Commands...................................................97 5.4.7 Effect of chmod on class Entries..............................................................97 5.4.8 Example of Changing a Minimal JFS ACL................................................98 5.4.9 Default JFS ACLs..................................................................................99 5.4.10 Changing JFS ACL with the setacl Command........................................100 5.4.10.1 Using the Modify and Delete Options...........................................100 5.4.10.2 Using the -f Option....................................................................100 5.4.10.3 Effective Permissions and setacl -n................................................101 5.5 Comparison of JFS and HFS ACLs................................................................102 5.5.1 JFS and HFS Command and Function Mapping.......................................102 5.6 ACLs and NFS...........................................................................................103 5.7 Security Considerations for /dev Device Special Files.....................................103 5.8 Protecting Disk Partitions and Logical Volumes...............................................104 5.9 Security Guidelines for Mounting and Unmounting File Systems........................104 5.10 Controlling File Security on a Network.........................................................106 5.10.1 Check Permission Settings on Network Control Files................................106 5.10.2 Files Mounted in an NFS Environment..................................................106 5.10.2.1 Server Vulnerability....................................................................107 5.10.2.2 Client Vulnerability.....................................................................107 5.10.2.3 How to Safeguard NFS-Mounted Files..........................................107 6 Compartments...............................................................................................................109 6.1 Overview..................................................................................................109 6.1.1 Compartment Architecture.....................................................................109 6.1.2 Default Compartment Configuration.......................................................111 6.2 Planning the Compartment Structure.............................................................111 6.3 Compartment Components..........................................................................112 6.3.1 Compartment Configuration Files..........................................................112 6.3.2 Compartment Commands....................................................................112 6.3.3 Compartment Manpages.....................................................................113 6.4 Compartment Rules and Syntax...................................................................114 6.4.1 Compartment Definition.......................................................................114 6.4.2 File System Rules................................................................................116 6 Table of Contents 6.4.3 IPC Rules...........................................................................................117 6.4.4 Network Rules...................................................................................119 6.4.5 Miscellaneous Rules............................................................................122 6.4.6 Example Rules File..............................................................................123 6.5 Configuring Compartments.........................................................................124 6.5.1 Activating Compartments.....................................................................124 6.5.2 Defining a Compartment Configuration.................................................124 6.5.2.1 Changing Compartment Rules.......................................................125 6.5.2.2 Changing Compartment Names...................................................125 6.5.3 Running an Application in a Compartment............................................125 6.5.4 Login Directly to a Compartment..........................................................126 6.6 Troubleshooting Compartments....................................................................126 6.7 Using Discover Mode to Generate Initial Compartment Configuration...............127 6.8 Compartments in HP Serviceguard Clusters...................................................128 7 Fine-Grained Privileges...................................................................................................131 7.1 Overview...................................................................................................131 7.2 Fine-Grained Privileges Components.............................................................131 7.2.1 Commands.........................................................................................131 7.2.2 Manpages.........................................................................................132 7.3 Available Privileges....................................................................................132 7.3.1 Compatibility Information for Divided Privileges.......................................135 7.4 Configuring Applications with Fine-Grained Privileges.....................................136 7.4.1 Privilege Model...................................................................................138 7.4.2 Compound Privileges..........................................................................138 7.5 Security Implications of Fine-Grained Privileges..............................................139 7.5.1 Privilege Escalation..............................................................................139 7.6 Fine-Grained Privileges in HP Serviceguard Clusters........................................139 7.7 Troubleshooting Fine-Grained Privileges........................................................140 III Protecting Identity................................................................................................................141 8 HP-UX Role-Based Access Control.....................................................................................143 8.1 Overview..................................................................................................143 8.2 Access Control Basics.................................................................................144 8.2.1 Simplifying Access Control with Roles....................................................145 8.3 HP-UX RBAC Components...........................................................................146 8.3.1 HP-UX RBAC Access Control Policy Switch..............................................147 8.3.2 HP-UX RBAC Configuration Files...........................................................147 8.3.3 HP-UX RBAC Commands.....................................................................148 8.3.4 HP-UX RBAC Manpages......................................................................148 8.3.5 HP-UX RBAC Architecture.....................................................................149 8.3.6 HP-UX RBAC Example Usage and Operation.........................................150 Table of Contents 7 8.4 Planning the HP-UX RBAC Deployment..........................................................151 8.4.1 Planning the Roles..............................................................................152 8.4.2 Planning Authorizations for the Roles....................................................152 8.4.3 Planning Command Mappings.............................................................153 8.4.4 HP-UX RBAC Limitations and Restrictions................................................153 8.5 Configuring HP-UX RBAC............................................................................154 8.5.1 Configuring Roles...............................................................................155 8.5.1.1 Creating Roles.............................................................................155 8.5.1.2 Assigning Roles to Users...............................................................156 8.5.1.3 Assigning Roles to Groups............................................................157 8.5.2 Configuring Authorizations..................................................................157 8.5.3 Configuring Additional Command Authorizations and Privileges...............158 8.5.4 Configuring HP-UX RBAC with Fine-Grained Privileges.............................160 8.5.5 Configuring HP-UX RBAC with Compartments.........................................162 8.6 Using HP-UX RBAC....................................................................................163 8.6.1 Using the privrun Command to Run Applications with Privileges................163 8.6.1.1 HP-UX RBAC in Serviceguard Clusters.............................................165 8.6.2 Using the privedit Command to Edit Files Under Access Control................165 8.6.3 Customizing privrun and privedit Using the ACPS...................................166 8.6.4 Generating Keystroke and Command Logs............................................167 8.6.4.1 Keystroke Logging.......................................................................167 8.6.4.2 Alternate Logging.......................................................................168 8.7 Troubleshooting HP-UX RBAC.......................................................................168 8.7.1 The rbacdbchk Database Syntax Tool....................................................168 8.7.2 privrun -v Information..........................................................................169 9 Audit Administration.......................................................................................................171 9.1 Auditing Components..................................................................................172 9.1.1 Commands.........................................................................................172 9.1.2 Audit Configuration Files......................................................................172 9.1.3 Audit Manpages.................................................................................173 9.2 Auditing Your System..................................................................................173 9.2.1 Planning the Auditing Implementation....................................................173 9.2.2 Enabling Auditing...............................................................................174 9.2.3 Disabling Auditing..............................................................................175 9.2.4 Monitoring Audit Files.........................................................................175 9.2.5 Performance Considerations.................................................................176 9.2.6 Guidelines for Administering the Auditing System...................................176 9.3 Auditing Users...........................................................................................176 9.4 Auditing Events..........................................................................................177 9.5 Audit Trails................................................................................................179 9.5.1 Configuring Audit Trails.......................................................................180 9.5.2 Monitoring and Managing Audit Trails..................................................181 8 Table of Contents 9.6 Using the Audit Filtering Tools......................................................................182 9.7 Using filter.conf .........................................................................................183 9.8 Using the Audit Reporting Tools...................................................................183 9.8.1 Examples of Using the auditdp Command..............................................185 9.9 Viewing Audit Logs.....................................................................................186 9.9.1 Examples of Using the audisp Command................................................187 9.10 Self-Auditing.............................................................................................187 9.11 HP-UX RBAC Auditing................................................................................188 9.11.1 Auditing Based on HP-UX RBAC Criteria and the /etc/rbac/aud_filter File...........................................................................................................188 9.11.2 Procedure for Auditing HP-UX RBAC Criteria..........................................189 A Trusted Systems...................................................................................................................191 A.1 Setting Up a Trusted System.............................................................................191 A.2 Auditing a Trusted System................................................................................192 A.3 Managing Trusted Passwords and System Access................................................192 A.3.1 Password Files.........................................................................................193 A.3.1.1 The /etc/passwd File........................................................................193 A.3.1.2 The /tcb/files/auth/ Database..........................................................194 A.3.2 Password Selection and Generation..........................................................195 A.3.3 Password Aging......................................................................................195 A.3.4 Password History and Password Reuse.......................................................196 A.3.5 Time-Based Access Control......................................................................196 A.3.6 Device-Based Access Control....................................................................196 A.3.7 Manipulating the Trusted System Databases...............................................197 A.4 Guidelines for Trusted Backup and Recovery......................................................197 B Other Security Products........................................................................................................199 B.1 Protecting Systems...........................................................................................199 B.1.1 HP-UX Bastille...........................................................................................199 B.1.2 HP-UX HIDS.............................................................................................199 B.1.3 HP-UX IPFilter...........................................................................................200 B.1.4 Security Patches.......................................................................................200 B.2 Protecting Data...............................................................................................200 B.2.1 HP-UX Containers (SRP)............................................................................200 B.2.2 HP-UX Encrypted Volume and File System (EVFS).........................................201 B.2.3 HP-UX IPSec............................................................................................201 B.2.4 HP-UX OpenSSL .....................................................................................201 B.2.5 HP-UX Secure Shell .................................................................................202 B.2.6 HP-UX Trusted Computing Services.............................................................202 B.2.7 HP-UX Whitelisting .................................................................................203 B.3 Protecting Identity...........................................................................................203 B.3.1 HP-UX AAA Server (RADIUS).....................................................................203 Table of Contents 9 B.3.2 HP-UX Directory Server............................................................................204 B.3.3 HP-UX LDAP-UX Integration.......................................................................204 Glossary...............................................................................................................................205 Index....................................................................................................................................213 10 Table of Contents List of Figures 2-1 5-1 6-1 8-1 8-2 HP-UX Authentication Modules Under PAM..........................................................35 File and Directory Permission Fields....................................................................88 Compartment Architecture...............................................................................110 HP-UX RBAC Architecture................................................................................150 Example Operation After Invoking privrun.........................................................151 11 List of Tables 3-1 3-2 3-3 3-4 4-1 4-2 5-1 5-2 5-3 5-4 5-5 6-1 6-2 6-3 7-1 7-2 7-3 8-1 8-2 8-3 8-4 8-5 8-6 9-1 9-2 9-3 9-4 12 User Database Configuration Files.....................................................................63 User Database Commands................................................................................63 User Attributes.................................................................................................64 User Database Manpages................................................................................64 Internet Services Components and Access Verification, Authorization, and Authentication.................................................................................................67 Software Components of HP-UX Secure Shell.......................................................77 Differences Between File and Directory Privileges.................................................88 HFS ACL Commands........................................................................................94 HFS ACL System Calls......................................................................................94 Commands and Calls Affecting ACL Entries.........................................................94 HFS and JFS ACL Equivalents...........................................................................102 Compartment Configuration Files.....................................................................112 Compartment Commands...............................................................................113 Compartment Manpages................................................................................113 Fine-Grained Privileges Commands..................................................................132 Fine-Grained Privileges Manpages...................................................................132 Available Privileges........................................................................................132 Example of Authorizations Per User..................................................................144 Example of Authorizations Per Role...................................................................145 HP-UX RBAC Configuration Files.......................................................................147 HP-UX RBAC Commands.................................................................................148 HP-UX RBAC Manpages.................................................................................148 Example Planning Results................................................................................155 Audit Commands...........................................................................................172 Audit Configuration Files.................................................................................172 Audit Manpages............................................................................................173 audevent Command Options...........................................................................178 List of Tables List of Examples 2-1 5-1 5-2 Pseudo- and Special System Accounts.................................................................45 Creating an HFS ACL.......................................................................................93 Multiple HFS ACL Matches................................................................................93 13 14 About this Document Publication History The document publication date and part number indicate its current edition. The publication date will change when a new edition is released. To ensure that you receive the new editions, you should subscribe to the appropriate product support service. Contact your HP sales representative for details. You can find the various versions of this document at: http://www.hp.com/go/hpux-core-docs Click HP-UX 11i v3. September 2011 Part • • • Number B3921–90059 Updated the Compartment chapter (see Chapter 6). Updated the Fine-Grained Privileges chapter (see Chapter 7. Reorganized Appendix B in three parts: Protecting Systems, Protecting Data, and Protecting Identity and added the HP-UX OpenSSL and HP-UX Whitelisting security products (see Appendix B). September 2010 Part Number B3921-90020 • Removed the Bastille chapter since the Bastille product now has its own user guide. Added the Bastille product in Appendix B (page 199). • Added the HP-UX Directory Server product in Appendix B (page 199). • Added the HP-UX LDAP product in Appendix B (page 199). • Updated all links to docs.hp.com to the Business Support Center. The HP-UX documentation is now located at the Business Support Center. For the HP-UX security collection, see http://www.hp.com/go/hpux-security-docs. September 2009 Part Number 5992–6416 • Added the HP-UX PAM RADIUS module to the PAM Libraries section (see Section 2.3.2). • Added a new section in the Bastille chapter, Selecting Install-Time Security. This section used to be documented in the HP-UX 11i v3 Installation and Update Guide. • Updated the Compartment chapter (see Chapter 6). 15 • • • Updated the HP-UX Role-Based Access Control chapter (see Chapter 8 ). Updated the Audit Administration chapter (see Chapter 9). Added security products to Appendix B (see Appendix B). March 2008 Part Number 5992–3387 • Divided the document into three parts: Protecting Systems, Protecting Data, and Protecting Identity. • Added a chapter to document HP-UX Standard Mode Security Extensions (see Chapter 3). • Replaced Security Patch Check with Software Assistant. • Added a figure to show the HP-UX Bastille user interface. • Added the HP-UX Bastille configuration log file assessment-log.config. • Made various edits. October 2007 Part Number 5992-2395 • Added a chapter to describe HP-UX Bastille. August 2007 Part Number 5992-1933 • Removed Process Resource Manager (PRM) from the product list that does not support shadow passwords (see Section 2.4.5). • Corrected search to nsearch in permission_list (see Section 6.4.2). February 2007 Part Number 5991-6482 First Edition NOTE: The volumes in the HP-UX System Administrator’s Guide can be updated independently. Therefore, the latest versions of the volumes in the set can vary with time and with respect to each other. The latest versions of each volume are available at: http://www.hp.com/go/hpux-core-docs Click HP-UX 11i v3. Intended Audience The HP-UX System Administrator’s Guide is written for administrators of HP-UX systems of all skill levels needing to administer HP-UX systems beginning with Release HP-UX 11i version 3. While many topics in this set apply to previous releases, much has changed in HP-UX 11i version 3; therefore, for information about prior releases, see Managing Systems and Workgroups, a Guide for System Administrators. 16 About This Document Set The HP-UX System Administrator’s Guide documents the core set of tasks (and associated concepts) necessary to administer systems running HP-UX 11i Version 3. It is comprised of the following volumes: Overview Provides a high-level view of HP-UX 11i, its components, and how they relate to each other. Configuration Management Describes many of the tasks that you must perform to configure and customize system settings and the behavior of subsystems. Logical Volume Management Documents how to configure physical volumes, volume groups, and logical volumes using the HP Logical Volume Manager (LVM). Security Management Documents the data and system security features of HP-UX 11i. Routine Management Tasks Documents many of the ongoing tasks you must perform to keep your system running smoothly. HP-UX System Administrator's Guide: Security Management is divided into three parts: Protecting Systems, Protecting Data, and Protecting Identity. These parts include the following topics: Chapter 1 Describes security considerations related to the boot and installation process. Chapter 2 Describes how to administer user and system security after the operating system is installed. Chapter 3 Describes the features and components of HP-UX Standard Mode Security Extentions. Chapter 4 Describes how to secure remote access to your system. Chapter 5 Describes how to control and protect file systems. Chapter 6 Describes compartments and how to isolate components of a system from one another. Chapter 7 Describes fine-grained privileges and how to divide the powers of superusers into a set of privileges. Chapter 8 Describes the features and components of HP-UX Role-Based Access Control. Chapter 9 Describes the administration of the audit system. Appendix A Describes trusted systems. Appendix B Describes other security products. 17 HP-UX 11i Release Names and Release Identifiers With HP-UX 11i, HP delivers a highly available, secure, and manageable operating system. HP-UX 11i supports enterprise, mission-critical, and technical computing environments and is available on both HP 9000 systems and HP Integrity servers. Each HP-UX 11i release has an associated release name and release identifier. The uname command with the -r option returns the release identifier. See the following table for a list of releases available for HP-UX 11i: Release Identifier Release Name Supported Processor Architecture B.11.11 HP-UX 11i version 1 HP 9000 B.11.23 HP-UX 11i version 2 Intel™ Itanium™ B.11.23 HP-UX 11i version 2, September 2004 HP 9000 HP-UX 11i version 3 HP 9000 B.11.31 Itanium Itanium For information on supported systems and processor architecture for various versions of HP-UX 11i, see the HP-UX 11i system release notes specific to the version of HP-UX you are running (for example, the HP-UX 11i Version 3 Release Notes). 18 Finding HP-UX Information The following table outlines where to find general system administration information for HP-UX. However, it does not include information for specific products. If you need to Refer To Located at Find out: • What has changed in HP-UX releases • The contents of the Operating Environments • Firmware requirements and supported systems for a specific release The HP-UX 11i Release Notes • HP Instant Information media specific to your version of HP-UX. • http://www.hp.com/go/ For example, you may want to see hpux-core-docs the HP-UX 11i Version 3 Release Click HP-UX 11i v3. Notes. • /usr/share/doc/ directory The /usr/share/doc directory contains only the original release note for your version of HP-UX. For revised release notes, see your latest HP Instant Information media or the Business Support Center: http://www.hp.com/go/ hpux-core-docs Click HP-UX 11i v3. Install or update HP-UX • Read Before Installing or Updating to HP-UX • HP-UX 11i Installation and Update Guide NOTE: See the documents for your specific version of HP-UX. Administer an HP-UX system Releases beginning with HP-UX 11i Version 3: • HP-UX System Administrator’s Guide (a multivolume set) Other sources of system administration information: • nPartition Admnistrator's Guide • Planning Superdome Configurations (white paper) • Media Kit (supplied with the Operating Environment) • HP Instant Information media • http://www.hp.com/go/ hpux-core-docs Click HP-UX 11i v3. • HP Instant Information CD-ROM • http://www.hp.com/go/ hpux-core-docs Click HP-UX 11i v3. • Planning Superdome Configurations (white paper) Related Information Additional information about Security and HP-UX can be found at www.hp.com/go/ hpux-security-docs. In particular, the following documents are available: 19 • • • • • HP-UX HP-UX HP-UX HP-UX HP-UX AAA Server Administrator's Guide Host Intrusion Detection System Administrator's Guide IPFilter Administrator's Guide IPSec Administrator's Guide Secure Shell Release Notes Conventions This document uses the following typographical conventions. reboot(1M) An HP-UX manpage. reboot is the name and 1M is the section in the HP-UX Reference. On the Web and on the Instant Information media, it may be a hot link to the manpage itself. From the HP-UX command line, you can enter “man reboot” or “man 1M reboot” to view the manpage. See man(1) for more information. Book Title The title of a book. On the web and on the Instant Information media, it may be a hot link to the book itself. KeyCap The name of a keyboard key. Return and Enter both refer to the same key. Emphasis Text that is emphasized. Emphasis Text that is strongly emphasized. Term The introduction of an important word or phrase. ComputerOut Text displayed by the computer. 20 UserInput Commands and other text that you type. Command A command name or qualified command phrase. Variable The name of a variable that you may replace in a command or function or information in a display that represents several possible values. [ ] The contents are optional in formats and command descriptions. { } The contents are required in formats and command descriptions. If the contents are a list separated by |, you must choose one of the items ... The preceding element may be repeated an arbitrary number of times. | Separates items in a list of choices. Part I Protecting Systems One critical factor in enterprise security is system minimization and hardening. HP-UX 11i offers a set of security features designed to address known and unknown vulnerabilities by running only the services that are needed, thus minimizing a potential point of attack. This section discusses the following HP-UX tools that protect a system against an attack, and detect and react to threats: • Installing the HP-UX operating environment securely (Chapter 1) • Administering user and system security (Chapter 2) • Standard Mode Security Extensions (Chapter 3) • Remote access security administration (Chapter 4) 21 22 1 Installing the HP-UX Operating Environment Securely This chapter describes security considerations related to the boot and installation processes, including the following topics: • Installation security considerations (Section 1.1) • Preventing security breaches during the boot process (Section 1.2) • Enable login security for root (Section 1.3) • Using boot authentication to prevent unauthorized access (Section 1.4) • Setting Install-Time Security options (Section 1.5) • Installing security patches (Section 1.6) • Postinstallation security tips for backup and recovery (Section 1.7) 1.1 Installation Security Considerations Before you install or update to a new operating system or new software, make a practice of addressing security considerations. Make the following security measures part of your preparation for installation: • Review the contents of your media kit. Read the Release Notes and other related information at the Business Support Center: http://www.hp.com/go/hpux-core-docs Click HP-UX 11i v3. • • • • • Decide which software you need and which you do not need. Do not install unnecessary software. Consult other chapters of this document for help deciding on security software products. Disconnect or disengage your system from the network, especially from a public network, until your security modifications are complete. Consider what, if any, security level you would like to deploy with. See Section 1.5 for more information. Make sure the system console is physically protected and your LAN console is either disconnected, or used only through a network where clear-text-protocols like telnet are allowed/protected. This is an important security consideration. Restricting access to the system console helps prevent unauthorized persons from changing the security settings of your system. Install the latest patches, especially security patches. See Section 1.6 for more information. Maintain a backup and recovery system. See Section 1.7 for more information. 1.2 Preventing Security Breaches During the Boot Process Security breaches can occur during the boot sequence. The boot process can be interrupted, allowing an unauthorized person to access the system. If certain system files 1.1 Installation Security Considerations 23 are altered incorrectly or maliciously before the reboot, the system can have problems during and after the reboot. Therefore, perform these preventative tasks: • • • Make sure the system and system console are physically secure and that only authorized users have access. Enable the boot authentication feature to allow only specified users to boot the system to single user mode. See Section 1.4. Make sure system files are write protected; some might need to be read protected. Following is a summary of the boot sequence that occurs when you turn on or reset the computer. See HP-UX System Administrator's Guide: Routine Management Tasks for more information on the boot sequence. 1. During booting, there is about a 10-second wait that allows you to override the automatic boot sequence. At this point, an intruder can interrupt the boot sequence and enter the system. You can gain root access when you interrupt the boot sequence by pressing any key. The ISL prompts you for a command. Entering the following command causes the system to be in single-user mode: ISL> hpux -is If you are not using boot authentication, a user can then log in as root with no password. Boot authentication allows only specified users to log in as root. 2. 3. If the boot sequence is not interrupted, the initialization process continues. HP-UX goes through its initialization process and begins normal operation, ready for login. At this point another security breach can occur if an intruder has already gained root access. If an intruder interrupts the boot process, they have gained root access to the system and theoretically own the system. This ownership allows them to make changes to the system through a great number of mechanisms. 1.3 Enable Login Security for root Many network protocols such as rlogind and telnetd do not encrypt network communication, making it easy for an intruder to sniff the administrative passwords from the network. Try to minimize the usage of these nonsecure protocols. To prevent an administrative login through such a protocol, you can use the /etc/ securetty file to limit logging in to the root account only through the system console. For instance, to restrict root logins to only the console, create the/etc/security file with a single line consisting of console. For more information, see login(1). 24 Installing the HP-UX Operating Environment Securely 1.4 Using Boot Authentication to Prevent Unauthorized Access The boot authentication feature protects single-user mode boot with password authentication. It makes it possible to configure a system so that only authorized users are allowed to boot the machine into single-user mode. The boot authentication feature must be enabled before you reboot the system. Boot authentication is configured by two attributes in the /etc/default/security file: • • BOOT_AUTH enables or disables boot authentication. Specify BOOT_AUTH=1 to enable boot authentication. By default, authentication is disabled (BOOT_AUTH=0). BOOT_USERS defines who can log in as root when the boot authentication feature is enabled. The names listed in BOOT_USERS are separated by commas. For example: BOOT_USERS=root,mary,jack,amy,jane BOOT_USERS=root is the default value. The /etc/default/security configuration file is explained in Chapter 2 and in security(4). 1.5 Setting Install-Time Security Options The Install-Time Security (ITS) options allow you to configure an HP-UX Bastille security lockdown engine, which can include an HP-UX IPFilter firewall. After system installation is complete, it will have one of the preconfigured levels of security. During installation, you can choose from four preconfigured levels of security: Sec00Tools Install the security infrastructure but without enabling optional security features. This is the default. Sec10Host Install a host-based lockdown system, without HP-UX IPFilter firewall configuration. With this level of security, most network services are disabled. These services can be reinstated by running the bastille(1M) command. Sec20MngDMZ Install a managed lockdown system that blocks most incoming traffic with an HP-UX IPFilter firewall. Sec30DMZ Install a DMZ Full lockdown system, which is a host-based and IPFilter network lockdown. HP-UX IPFilter blocks almost all incoming connections. For information on ITS and HP-UX Bastille, see the HP-UX Bastille User Guide: www.hp.com/go/hpux-security-docs Click HP-UX Bastille Software. For information on HP-UX IPFilter, see the HP-UX IPFilter Administrator's Guide: 1.4 Using Boot Authentication to Prevent Unauthorized Access 25 www.hp.com/go/hpux-security-docs Click HP-UX IPFilter Software. 1.6 Installing Security Patches Immediately after installation, apply the required and recommended patches using HP-UX Software Assistant (SWA). SWA is a command-line-based tool that consolidates and simplifies patch management and security bulletin management on HP-UX systems. The SWA tool replaces Security Patch Check (SPC), and is the HP-recommended utility to use to maintain currency with HP-published security bulletins for HP-UX software. NOTE: Use of the Software Assistant software tool can help improve system security, but it does not guarantee system security. For more information on SWA, see the HP-UX Software Assistant System Administration Guide: www.hp.com/go/hpux-security-docs Click HP-UX Software Assistant (SWA) Software. 1.7 Postinstallation Security Tips for Backup and Recovery After the system is running, you must still maintain its security. Be diligent in maintaining system backup and recovery files. Following are some guidelines: • Use only the fbackup and frecover commands to back up and recover files selectively. Only fbackup and frecover retain access control lists (ACLs). Use the -A option of these commands when backing up and recovering files for use on systems that do not implement ACLs. See fbackup(1M) and frecover(1M). • If you plan to recover the files to another system, be sure that the user's user name and group name on both systems are consistent. • Remember that the backup media is sensitive material. Allow access to the media only on the basis of proven need. • Label backup tapes and store them securely. Offsite storage provides maximum security. Keep archives for a minimum of 6 months, and then recycle the media. • Perform daily incremental and full weekly backups. Synchronize the backup schedule with the information flow in your organization. For example, if a major database is updated every Friday, you might want to schedule the weekly backup on Friday evenings. • 26 If you must back up all files on schedule, request that all users log off before performing the backup. The fbackup command warns you if a file is changing while the backup is being performed. Installing the HP-UX Operating Environment Securely • • • • • • • • Examine the log file of latest backups to identify problems occurring during backup. Set restrictive permissions on the backup log file. Be aware that the frecover command allows you to overwrite a file. However, the file retains the permissions and ACLs set when the file was backed up. Test the recovery process beforehand to make sure you can fully recover data in the event of an emergency. When recovering files from another machine, you might have to execute the chown command to set the user ID and group ID for the system on which they now reside, if the user and group do not exist on the new system. If files are recovered to a new system that does not have the specified group, the files will take on the group ownership of the person running the frecover command. If the owner and group names have different meanings on different systems, recovery results might be unexpected and not what you wanted. Although a power failure should not cause file loss, if someone reports a lost file after a power failure, look for it in the /lost+found directory before restoring it from a backup tape. To verify contents of the tape being recovered, use the -I option of the frecover command to preview the index of files on the tape. Existing permissions of a file system are kept intact by the backup. The frecover command prevents you from reading the file if the permissions on the file forbid it. Never recover in place any critical files, such as /etc/passwd or those in /tcb/ files. Instead, restore the file to a temporary directory (do not use /tmp), and give this directory permissions drwx------, preventing anyone else from using it. Compare the restored files with those to be replaced. Make any necessary changes. Be sure to turn auditing on. Auditing is not enabled automatically when you have recovered the system. 1.7 Postinstallation Security Tips for Backup and Recovery 27 28 2 Administering User and System Security This chapter addresses basic user security after the operating system is installed. It focuses on logins, passwords, and other user interactions with the system. The following topics are discussed: • • • • • • • • • • • Managing user access (Section 2.1) Authenticating users during login (Section 2.2) Authenticating users with PAM (Section 2.3) Managing passwords (Section 2.4) Defining system security attributes (Section 2.5) Handling setuid and setgid programs (Section 2.6) Preventing stack buffer overflow attacks (Section 2.7) Protecting unattended terminals and workstations (Section 2.8) Protecting against system access by remote devices (Section 2.9) Securing login banners (Section 2.10) Protecting the root account (Section 2.11) 2.1 Managing User Access Authorized users gain access to the system by supplying a valid user name (login name) and password. Each user is defined by an entry in the /etc/passwd file. Use the HP System Management Homepage (HP SMH) to add, remove, deactivate, reactivate, or modify a user account. For more information about passwords, refer to passwd(4), passwd(1), and see Section 2.4 in this document. 2.1.1 Monitoring User Accounts Following are guidelines for monitoring user accounts: • Regularly examine the output from the last, lastb, and who commands for unusual logins. • Verify that all users with accounts have a legitimate business need to access the system. • Be alert for multiple users sharing the same user account. Do not allow two users to share the same user account. • Verify that no user accounts share the same user ID (UID). • Ensure that all accounts have secure passwords that change regularly. • Verify that all user home directories have the appropriate permissions. Most home directories have read access but no write access to other users. For better protection, set the read, write, and execute permissions for the directory owner only. 2.1 Managing User Access 29 • • • • • Ensure that all users understand the security policies. Place a company security policies file in each home directory. Examine the /etc/passwd file or other appropriate user database for unused accounts, and especially for users who have left the company. Examine root accounts to see who has root access. Consider implementing HP-UX Role-based Access Control to minimize the risks associated with multiple users having access to the root account. For more information, see Chapter 8. Examine guest accounts to see how often they are used. 2.1.2 Monitoring Guest Accounts For the highest level of security, do not allow guest or open accounts. If you do have guest accounts, then do the following: • Change the guest password frequently. You can specify the password. • Use a restricted shell (rsh) to limit system access. For information about the rsh command, refer to sh(1) and sh-posix(1). • Guest accounts are often forgotten. Use one of the following methods to disable the guest account when not in use: — Use per-user security attributes to automatically disable the account after a certain number of inactive days. For more information, refer to security(4) and see Section 2.5.2.2. — Use the following command to lock the guest account: # passwd -l guest — Use the following command to delete the guest account: # userdel guest • Schedule an at job to automatically lock temporary accounts: # at now +14 days passwd -l tempacct • Regularly scan the /var/adm/wtmp and /var/adm/sulog files to check for unused accounts. Refer to sh(1) and su(1) for more information. 2.1.3 Creating Application User Accounts If users only use HP-UX to launch an application, they do not require access to a shell. These users should only be using the application, such as a database management system, and not need access to any HP-UX functionality. To restrict access to HP-UX, modify the /etc/passwd file so that only a specific command is executed after the user logs in. The /etc/passwd file contains essential information required during login: 30 Administering User and System Security • • • • • • • User name Encrypted password User ID Group ID Comment field Home directory Login program Typically, the login program is a shell, such as /bin/sh, but it does not have to be a shell. You can create a captive account—an account that logs a user directly into an application—by identifying the application as the login shell. Following is an example of restricting a user to run only the date command. The /etc/ passwd entry is: username:rc70x.4,sx2:20:1:run only date command:/home/date:/usr/bin/date At the login prompt, a user enters username and the appropriate password. The date command is executed and then the user is immediately logged out. login:username Password:xxxxxx Tue Nov 14 18:38:38 PDT 2006 2.1.4 Managing Group Accounts When a group has to share or have access to project-related files, follow these steps to ensure security: 1. 2. 3. Verify that each member has an entry in /etc/passwd. Create an entry for the group in the /etc/group file. Create a shared directory for the group. drwxrwx-- root project /home/projects 4. Set the umask in each group member's ~/.profile. In the following example, users in the group can read, write, and execute files, but no one else can: umask u=rwx,g=rwx, o= 2.2 Authenticating Users During Login To gain access to a system and its resources, users are required to log in. By controlling access to the system, you can try to prevent unauthorized users from accessing the system. However, even if unauthorized users do gain access, you can still prevent them from running programs that consume resources and from accessing system data. This section explains what happens during the login process from the time you type your user name to the time you get a shell prompt. 2.2 Authenticating Users During Login 31 2.2.1 Explanation of the Login Process The following steps describe the login process. This information shows how important it is to create unique user names and to maintain a password security policy. For more information, refer to login(1). 1. 2. 3. After the system is installed, the desktop Login Manager displays a login screen. The Common Desktop Environment (CDE) displays a CDE login screen if it is installed. The init program spawns a getty process, which prompts you for a user name. You enter your user name. The getty program passes the user name to the login program. The login program searches/etc/passwd for the user name. • If the user name exists, login goes to step 4 . • If the user name does not exist, then login does the following checks: — Prompts for a password (Password: ). — If an invalid password is entered, the system displays the Invalid login error message. — Updates the /var/adm/btmp file if it exists. The /var/adm/btmp file keeps track of invalid login attempts. See Section 2.2.2 for more information. — Exits after three consecutive invalid login attempts. 4. The login process verifies the /etc/passwd file. • If the password field is set, login prompts for a password and goes to step 5. • If the password field is not set, the user does not need a password and login goes to step 6 . 5. The login process compares the password to the encrypted password in /etc/passwd. • If the password matches, login goes to step 6. • If the password does not match, login displays Invalid login. The login process allows three consecutive login attempts. After the user's third invalid login attempt, login exits. 6. The login process updates the /var/adm/wtmp file, which keeps track of valid logins. See Section 2.2.2 for more information. After a successful login, the user and group IDs, group access list, and working directory are initialized. 7. 32 The login process then runs the command in the command field of the /etc/passwd file. Typically, the command field is the path name of a shell, such Administering User and System Security as /bin/ksh, /bin/csh, or /bin/sh. If the command field is empty, the default is /bin/sh. The command field does not have to be a shell. See Section 2.1.3 for an example of running another command. 8. After the shell initialization is complete, the system displays a prompt and waits for user input. You can have the login process perform further user authentication using the Pluggable Authentication Modules (PAM). For more information, see pam.conf(4) and Section 2.3. 2.2.2 Checking the login Tracking Files (btmp and wtmp) The following files keep a log of logins: • The /var/adm/btmp file keeps track of failed logins. • The /var/adm/wtmp file keeps track of successful logins. Use the lastb command to read the /var/adm/btmp file to see if unauthorized users have attempted to log in. Use the last command to read the/var/adm/wtmp file. The last and lastb commands display the most recent user information, in descending order. The wtmp and btmp files tend to grow without bound, so check them regularly. Periodically remove information that is no longer useful to prevent the file from becoming too large. The wtmp and btmp files are not created by the programs that maintain them. If these files are removed, login record keeping is turned off. A common mistake users make during login is to enter the password, or part of the password at the login prompt. This failed login is recorded in the btmps file and exposes the password or partial password. For this reason, the file protection on the btmps should be set so that it is only readable by administrators. # chmod 400 /var/adm/btmps If the security policy requires that past sessions of one user cannot be viewed by another user, then the file protection of the /var/adm/wtmp file may also need to be changed. See last(1), utmp(4), and wtmp(4) for more information. The utmp database is a user accounting database managed and synchronized according to /var/adm/utmp by the utmpd command. Application programs can access the utmps database. See utmpd(1M) and utmps(4). 2.2.2.1 Last Command Examples This section contains examples of using the last command. The following command lists all of the root sessions and all sessions on the console terminal: # last root console | more root pts/1 Mon Mar 12 16:22 - 18:04 (01:41) 2.2 Authenticating Users During Login 33 abcdeux console Mon Mar 12 10:13 - 10:19 (00:06) root pts/2 Fri Mar 9 13:51 - 15:12 (01:21) abcdeux console Thu Mar 8 12:21 - 12:22 (00:00) root pts/ta Wed Mar 7 15:38 - 18:13 (02:34) The following command lists when reboots have occurred: # last reboot reboot reboot reboot reboot reboot system system system system system boot boot boot boot boot Sun Sun Sun Thu Mon Mar Mar Mar Feb Feb 28 28 28 19 16 18:06 17:48 17:40 18:25 13:56 still logged in - 18:06 (00:17) - 17:48 (00:08) - 17:40 (37+23:15) - 18:25 (3+04:28) 2.2.3 Checking Who Is Logged In The who command examines the /etc/utmp file to obtain current user login information. In addition, the who command can list logins, logoffs, reboots, changes to the system clock, and processes spawned by the init process. Use the who -u command to monitor who is currently logged in. For example: # who -u aperson console Aug 5 11:28 old 5796 system.home.company.com aperson pts/0 Aug 17 18:11 0:03 24944 system aperson pts/1 Aug 5 11:28 1:14 5840 system See who(1) for more information. 2.3 Authenticating Users with PAM The Pluggable Authentication Modules (PAM) are an industry-standard framework providing authentication, account management, session management, and password services. This section gives an overview of PAM and describes the PAM configuration files: /etc/pam.conf and /etc/pam_user.conf. For more information, see pam(3), pam_*(5), pam.conf(4), pam_user.conf(4), and security(4). 2.3.1 Overview PAM provides the flexibility to choose any authentication service available on the system. The PAM framework also enables you to plug in new authentication service modules and make them available without modifying the applications. Whenever a user logs in either locally or remotely (for example, using login or rlogin), the user must be checked or authenticated as a valid user of the system. As authentication methods improve and change over time, the login services would also have to change. To avoid constant changing of the login services just to revise the authentication code, PAM was developed so that different authentication methods can be used without modifying the login code. 34 Administering User and System Security As a result, login authentication, account checking, and password modification use the PAM interface. Programs requiring user authentication pass their requests to PAM, which determines the correct verification method and returns the appropriate response. The programs do not need to know what authentication method is being used. See Figure 2-1 for an overview. Figure 2-1 HP-UX Authentication Modules Under PAM Authentication Services passwd su login telnet Request for Validation PAM Library UNIX DCE libpam_unix.1 Kerberos Use the PAM configuration file, /etc/pam.conf, to indicate which authentication module to use. LDAP NTLM libpam_ntlm.1 libpam_krb5.1 libpam_dce.1 RADIUS libpam_ldap.1 libpam_radius.1 The authentication methods are specified on both a systemwide and individual user basis using the following PAM system files: /etc/pam.conf Systemwide control file. Defines which service modules are to be paired with services. These are regarded as system defaults. /etc/pam_user.conf Individual user control file. Defines which options are to be used by service modules on specific users. This is an optional file. See pam(3), pam.conf(4), pam_updbe(5), pam_user.conf(4) for more information. 2.3 Authenticating Users with PAM 35 2.3.2 PAM Libraries PAM service modules are implemented by shared libraries. PAM enables multiple authentication technologies to co-exist in HP-UX. The /etc/pam.conf configuration file determines which authentication module to use. The PAM libraries are as follows: • PAM_DCE The PAM_DCE modules enable integration of DCE into the system entry services (such as login, telnet, rlogin, ftp). The PAM_DCE modules provide functionality for the authentication, account management, and password management modules. These modules are supported through the PAM_DCE library, /usr/lib/ security/pam_dce.sl. See pam_dce(5) for more information. • PAM_HPSEC The PAM_HPSEC modules manage extensions specific to HP-UX for authentication, account management, password management, and session management. The use of /usr/lib/security/$ISA/libpam_hpsec.so.1 is mandatory for services such as login, dtlogin, ftp, su, remsh, rexec, and ssh. These services must place libpam_hpsec.so.1 on the top of the stack above one or more nonoptional modules. The pam_hpsec module also enforces several attributes defined in /etc/ default/security. See pam_hpsec(5) and security(4) for more information. • PAM_KRB5 Kerberos is a network authentication protocol that enables secure communication over networks without transmitting passwords in clear text. A password is authenticated by the Key Distribution Center (KDC), which then issues a Ticket Granting Ticket (TGT). The PAM Kerberos shared library is /usr/lib/security/ libpam_krb5.1. See pam_krb5(5) for more information. • PAM_LDAP The Lightweight Directory Access Protocol (LDAP) is a standard for centralizing user, group, and network management information through directory services. Authentication takes place on an LDAP directory server. For more information, see the HP-UX LDAP-UX Integration Software documentation: www.hp.com/go/hpux-security-docs Click HP-UX LDAP-UX Integration Software. • PAM_NTLM The PAM NT LAN Manager enables HP-UX users to be authenticated against Windows servers during system login. PAM NTLM uses NT servers to authenticate users logging in to an HP-UX system. For more information, see the HP CIFS Client Administrator's Guide: http://www.hp.com/go/hpux-networking-docs 36 Administering User and System Security Click HP-UX 11i v3 Networking Software. • PAM_RADIUS The HP-UX PAM RADIUS module provides authentication and session management for PAM enabled applications (typically system entry services such as login and ftp) through RADIUS server using the pam.conf configuration file. The HP-UX PAM RADIUS module consists of the following two modules: — Authentication module — Session management module It also provides null function for account management. All modules are supported through the same dynamically loadable library, /usr/lib/security/libpam_radius.1. The HP-UX PAM RADIUS module supports two-factor authentication by requesting the user's password and One Time Password (OTP). For more information, see pam_radius(5). • PAM_UNIX The PAM_UNIX modules provide functionality for all four PAM modules: authentication, account management, session management, and password management. The modules are supported through the PAM UNIX library, /usr/ lib/security/libpam_unix.1. See pam_unix(5) for more information. • PAM_UPDBE The user policy definition service module for PAM, /usr/lib/security/ libpam_updbe.1, reads options defined in the user configuration file, /etc/ pam_user.conf, and stores the information in the PAM handle for subsequent service modules to use. See pam_updbe(5) for more information. 2.3.3 Systemwide Configuration Using /etc/pam.conf The PAM configuration file /etc/pam.conf defines the security mechanisms that are used to authenticate users. Its default values provide the customary operation of the system under both standard HP-UX and trusted systems. It also provides support for controls on individual users and for the DCE integrated login functionality. NOTE: For DCE, use the auth.adm utility to create the desired configuration file. This file is functionally equivalent to the former HP integrated login auth.conf file. See auth.adm(1m) for more information. The libpam and libpam_unix PAM libraries and the /etc/pam.conf configuration file must be on the system in order for users to be able to log in or change passwords. HP-UX authentication is dependent upon the file /etc/pam.conf. This file must be owned by root with the following file permissions: 2.3 Authenticating Users with PAM 37 -r--r--r-- 1 root sys 1050 Nov 8 10:16 /etc/pam.conf If this file is corrupt or missing from the system, root can log in to the console in single-user mode to fix the problem. The protected service names are listed in the system control file, /etc/pam.conf, under four test categories (module-type): authentication, account, session, and password. See pam(3), pam.conf(4), and pam_user.conf(4) for more information. 2.3.4 Sample /etc/pam.conf File Following is a partial listing of a sample /etc/pam.conf file. Lines beginning with pound (#) are comment lines. The sections in /etc/pam.conf are authentication management, account management, session management, and password management. # # PAM configuration # # Notes: # # If the path to a library is not absolute, it is assumed to be # relative to the directory /usr/lib/security/$ISA/ # # For PA applications, /usr/lib/security/$ISA/libpam_unix.so.1 is a # symbolic link that points to the corresponding PA (32 or 64-bit) PAM # backend library. # # The $ISA (i.e. Instruction Set Architecture) token will be replaced # by the PAM engine with an appropriate directory string. # See pam.conf(4). # # Also note that the use of pam_hpsec(5) is mandatory for some of # the services. See pam_hpsec(5). # # Authentication management # login auth required libpam_hpsec.so.1 login auth required libpam_hpsec.so.1 su auth required libpam.hpsec.so.1 bypass_setaud su auth required libpam_unix.so.1 dtlogin auth required libpam_hpsec.so.1 dtlogin auth required libpam_unix.so.1 dtaction auth required libpam_hpsec.so.1 dtaction auth required libpam_unix.so.1 ftp auth required libpam_hpsec.so.1 ftp auth required libpam_unix.so.1 rcomds auth required libpam_hpsec.so.1 rcomds auth required libpam_unix.so.1 sshd auth required libpam_hpsec.so.1 sshd auth required libpam_unix.so.1 OTHER auth required libpam_unix.so.1 # # Account management # login account required libpam_hpsec.so.1 login account required libpam_unix.so.1 38 Administering User and System Security su su account required account required libpam_hpsec.so.1 libpam_unix.so.1 2.3.5 The /etc/pam_user.conf User Configuration File The PAM configuration file, /etc/pam_user.conf, configures PAM on a per-user basis. This file is optional. It is needed only if PAM applications need to behave differently for different users. You assign different options to individual users by listing them in /etc/pam_user.conf. For a login-name listed here, the options listed here replace any options specified for the module-type and module-path in /etc/pam.conf. The entries in /etc/pam_user.conf use the following syntax: login-name module-type module-path options where: login-name User's login name. module-type The module-type specified in /etc/pam.conf. module-path The module-path associated with module-type in /etc/ pam.conf. options Zero or more options recognized by the module. The default contents of /etc/pam_user.conf are comments: # # # # # # # # # # # # # # # # # # This file defines PAM configuration for a user. The configuration here overrides pam.conf. The format for each entry is: user_name module_type module_path options For example: user_a user_a user_a auth auth password /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_dce.1 /usr/lib/security/libpam_unix.1 debug try_first_pass debug user_b user_b auth password /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1 debug use_psd debug use_psd See the pam_user.conf(4) manual page for more information 2.3.6 Examples: How PAM Works for Login The following examples describe the auth process for login, depending upon how the /etc/pam.conf file is configured: • If /etc/pam.conf contains a single standard login auth, such as the following, then login proceeds normally: 2.3 Authenticating Users with PAM 39 login • auth required /usr/lib/security/libpam_unix.1 If there are two or more systemwide login auth entries, such as the following, they are taken in order: login login auth auth required required /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_dce.1 In this case, the standard HP-UX login process is executed. Then the DCE authentication process occurs. If both are satisfied, then the login is successful. Both processes are performed, even if the user fails one of them. • If you require different authentication methods for different users, place the special entry libpam_udpbe ahead of the authentication modules in /etc/pam.conf (the lines are numbered for easy reference): #/etc/pam.conf #1 login auth #2 login auth #3 login auth required /usr/lib/security/libpam_udpbe.1 required /usr/lib/security/libpam_unix.1 required /usr/lib/security/libpam_dce.1 Then place entries for each affected user in /etc/pam_user.conf: #/etc/pam_user.conf #4 allan auth /usr/lib/security/libpam_unix.1 #5 allan auth /usr/lib/security/libpam_dce.1 #6 isabel auth /usr/lib/security/libpam_unix.1 debug try_first_pass debug use_psd When allan logs in, line 1 in /etc/pam.conf causes PAM to read/etc/ pam_user.conf. Because the module paths on lines 4 and 5 of /etc/ pam_user.conf match the module paths on lines 2 and 3 of /etc/pam.conf, PAM temporarily replaces the null options fields of lines 2 and 3 of /etc/ pam.conf with debug and try_first_pass, respectively. Then the modules specified by lines 2 and 3 are executed with the revised options. When isabel logs in, line 1 in /etc/pam.conf causes PAM to read /etc/ pam_user.conf and temporarily replace the options field of line 2 of /etc/ pam.conf with debug use_psd. Line 3 is unchanged. Then the modules specified by lines 2 and 3 are executed with the revised options. When george logs in, line 1 in /etc/pam.conf causes PAM to read /etc/ pam_user.conf. Because entries for george do not exist, lines 2 and 3 of /etc/ pam_user.conf are not changed. The modules specified by lines 2 and 3 are executed with no changes. 40 Administering User and System Security 2.4 Managing Passwords The password is the most important individual user identification symbol. With it, the system authenticates a user to allow access to the system. Because they are vulnerable to compromise when used, stored, or known, passwords must be kept secret at all times. The following sections discuss passwords in more detail. 2.4.1 System Administrator Responsibilities The system administrator and every user on the system must share responsibility for password security. System administrators perform the following security tasks: • • • • • • • • • • • Ensure that all users have passwords. Maintain proper permissions on all system files, including the standard password and group files, /etc/passwd and /etc/group. Delete or nullify user IDs and passwords of users no longer eligible to access the system. Verify that all application passwords are encrypted. Verify that permissions on /var/adm/btmp and /var/adm/wtmp are set appropriately. Implement one-time passwords for single guest access. Inform users of their responsibilities regarding password security. Use password aging to force users to change their passwords regularly. Prevent reuse of recent passwords. Configure systemwide security attributes in the /etc/default/security file. See Section 2.5 and refer to security(4) for more information. Convert the system to use shadow passwords. See Section 2.4.5 and refer to shadow(4) and pwconv(1M) for more information. 2.4.2 User Responsibilities Every user must observe the following rules: • • • • Remember the password and keep it secret at all times. Change the initial password immediately and continue to change it. Report any changes in status and any suspected security violations. Make sure no one is watching a password being entered. 2.4 Managing Passwords 41 2.4.3 Criteria of a Good Password Observe the following guidelines when choosing a password and communicate these guidelines to users: • • • • • • • • Choose a password with at least 6 characters and no more than 80 characters. Special characters can include control characters and symbols, such as asterisks and slashes. In standard mode, only the first 8 characters are used. Do not choose a word found in a dictionary in any language, even if you spell it backwards. Software programs exist that can find and match it. Do not choose a password easily associated with you, such as a family or pet name, or a hobby. Do not use simple keyboard sequences, such as asdfghjkl, or repetitions of your login (for example, if your login is ann; a bad password choice is annann). Consider using misspelled words or combined syllables from two unrelated words to make suitable passwords. Another popular method is to use the first characters of a favorite title or phrase for a password. Consider using a password generator that combines syllables to make pronounceable gibberish. Do not share passwords with other users. Management must forbid sharing of passwords. Always have a password. Do not have your password field cleared in the /etc/ passwd file. 2.4.4 Changing the /etc/passwd Password File A standard system maintains one password file: /etc/passwd. All passwords are encrypted immediately after entry, and stored in the password file, /etc/passwd. Only the encrypted password is used in comparisons. Follow these guidelines if you need to change the password file: • • Do not permit any empty or null password fields; this is a security breach. An empty password field enables any user to set the password for that account. Do not edit the password file directly. Use HP SMH or the useradd, userdel, or usermod commands to modify password file entries. If you must edit the password file directly, use the vipw command and check it with the pwck command. See vipw(1M) and pwck(1M) for more information. 2.4.4.1 Examples of passwd Commands Following are some useful passwd command examples: • Reset a user's password: # passwd user1 • 42 Force a password change at next login: Administering User and System Security # passwd -f user1 • Lock or disable an account: # passwd -l user2 • Enable password aging: # passwd -n 7 -x 28 user1 • View password aging status for a specific user: # passwd -s user • View password aging status for all users: # passwd -sa 2.4.4.2 The /etc/passwd File Format The /etc/passwd file is used to authenticate a user at login time. The file contains an entry for every account on the HP-UX system. Each entry consists of seven fields, separated by colons. A typical /etc/passwd entry looks like this: robin:Z.yxGaSvxAXGg:102:99:Robin Hood,Rm 3,x9876,408-555-1234:/home/robin:/usr/bin/sh The fields contain the following information (listed in order), separated by colons: 1. 2. 3. 4. 5. 6. 7. robin—User (login) name, consisting of up to 8 characters. Z.yxGaSvxAXGg—Encrypted password field. 102—User ID, an integer ranging from 0 to MAXINT-1 (equal to 2,147,483,646 or 231 -2). 99—Group ID, from /etc/group, an integer ranging from 0 to MAXINT-1. Robin Hood,Rm 3,x9876,408-555-1234—Comment field, used to identify such information as the user's full name, location, and phone numbers. For historic reasons, this is also called the gecos field. /home/robin—Home directory, the user's initial login directory. /usr/bin/sh—Login shell path name, executed when the user logs in. The user can change the password by invoking passwd, the comment field (fifth field) with chfn, and the login program path name (seventh field) with chsh. The system administrator sets the remaining fields. The user ID must be unique. See chfn(1), chsh(1), passwd(1), and passwd(4) for more information. 2.4.5 The /etc/shadow Shadow Password File Increasing computational power available to malicious password decrytpers has made the nonhidden passwords in the /etc/passwd file vulnerable to decryption. A shadow password enhances system security by hiding encrypted passwords in a shadow password file. You can move encrypted passwords previously stored in the publicly readable /etc/passwd file to the /etc/shadow file, which is accessible only by a user with the appropriate privileges. 2.4 Managing Passwords 43 Use the following commands to enable, verify, and disable shadow passwords: • The pwconv command creates a shadow password file and copies the encrypted passwords from the /etc/passwd file to the /etc/shadow file. • The pwck command checks the /etc/passwd and /etc/shadow files for inconsistencies. • The pwunconv command copies the encryped passwords and aging information from the /etc/shadow file to the /etc/passwd file and then deletes the /etc/ shadow file. For more information, see pwconv(1M), pwck(1M), pwunconv(1M) and shadow(4). Note the following points about the shadow password feature. • When the shadow password feature is enabled, applications can be affected if they directly access the password field of the /etc/passwd file to obtain password and aging information. That field will now contain an x, indicating that the information is in /etc/shadow. Applications that use the PAM interfaces to authenticate, are not effected. To access the /etc/shadow file programmatically, use the getspent calls. These calls are similar to the getpwent calls for /etc/passwd. For more information, see getspent(3C) and getpwent(3C). • • In the /etc/nsswitch.conf file, shadow passwords are supported with files, NIS, and LDAP name services, but they may not be supported with other name server switch backends. To configure the system to use only files, NIS, and/or LDAP, ensure that the passwd line in /etc/nsswitch.conf contains only files, NIS, and/or LDAP. If /etc/nsswitch.conf does not exist, or if the passwd line is not present, then the default is files only. For more information, see nsswitch.conf(4). The shadow password is based on the de facto standard provided with other UNIX systems. The following attributes, defined in /etc/default/security, apply to shadow passwords. See Section 2.5 and consult the security(4) manpage for more information. • • • • INACTIVITY_MAXDAYS—Number of days before expiring an account for inactivity. PASSWORD_MINDAYS—Minimum number of days before a password can be changed. PASSWORD_MAXDAYS—Maximum number of days that passwords are valid. PASSWORD_WARNDAYS—Number of days before warning users of password expiration. Shadow passwords are supported with Serviceguard. 44 Administering User and System Security NOTE: Shadow passwords are not supported with LDAP-UX. Instead, LDAP-UX provides the ability to hide user passwords in the directory server itself. LDAP-UX also enforces centralized security policies, similar to /etc/shadow, based on the security policy of the directory server. Shadow passwords are not supported by the applications that expect passwords to reside in /etc/passwd. For more information, see the following manpages: passwd(1), pwck(1M), pwconv(1M), pwunconv(1M), getspent(3C), putspent(3C), nsswitch.conf(4), passwd(4), security(4), shadow(4) 2.4.6 Eliminating Pseudo-Accounts and Protecting Key Subsystems in /etc/passwd By tradition, the /etc/passwd file contains numerous “pseudo-accounts,” which are entries not associated with individual users and which do not have true interactive login shells. Some of these entries, such as date, who, sync, and tty, evolved strictly for user convenience, providing commands that could be executed without logging in. To tighten security, they have been eliminated in the distributed /etc/passwd so that these programs can be run only by a user who is logged in. Other such entries remain in /etc/passwd because they are owners of files. Programs with owners such as adm, bin, daemon, hpdb, lp, and uucp encompass entire subsystems, and represent a special case. Because they grant access to files they protect or use, these programs must be allowed to function as pseudo-accounts, with entries listed in /etc/passwd. The customary pseudo- and special accounts are shown in Example 2-1. Example 2-1 Pseudo- and Special System Accounts root::0:3::/:/sbin/sh daemon:*:1:5::/:/sbin/sh bin:*:2:2::/usr/bin:/sbin/sh sys:*:3:3::/: adm:*:4:4::/var/adm:/sbin/sh uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico lp:*:9:7::/var/spool/lp:/sbin/sh nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico hpdb:*:27:1:ALLBASE:/:/sbin/sh nobody:*:-2:-2::/: The key to the privileged status of these subsystems is their ability to grant access to programs under their jurisdiction without granting root access (uid 0). Instead, the setuid bit for the executable file is set and the effective user of the process corresponds 2.4 Managing Passwords 45 to the owner of the executable file. For example, the cancel command is part of the lp subsystem and runs as effective user lp. When the setuid is set, the security mediation of that subsystem enforces the security of all programs encompassed by the subsystem, not the entire system. Hence, the subsystem vulnerability to a breach of security is also limited to only those subsystem files. Breaches cannot affect the programs under different subsystems. For example, programs under lp do not affect those under daemon. 2.4.7 Secure Login with HP-UX Secure Shell The HP-UX Secure Shell provides secure remote login, file transfer, and remote command execution. All client-server communication is encrypted. Passwords going across the network are never sent in clear text. For more information, see ssh(1) and Section 4.6. 2.4.8 Securing Passwords Stored in NIS The Network Information Service (NIS) is part of the Network File System (NFS). NIS enables configuration administration of several hosts from a central location, a master server. Instead of having host configurations stored separately on each host, the information is consolidated onto a central location. The /etc/password file is among the several configuration files stored on the NIS server. The /etc/shadow shadow password file is not supported on NIS. See the NFS Services Administrator's Guide for information about NIS. 2.4.9 Securing Passwords Stored in LDAP Directory Server LDAP-UX Client Services interoperates with PAM to authenticate passwords stored on an LDAP directory server. The PAM_LDAP library provides the authentication service. 2.5 Defining System Security Attributes Security attributes provide additional control of system configurations, adding security enhancements to passwords, logins, and auditing. There are more than 20 attributes. These attributes are described in security(4) . The categories of attributes are summarized as follows: 46 Login attributes These attributes control login activities, such as login times, number of logins allowed, and the number of login failures allowed before locking and account. Password attributes These attributes control password activities, such as password length, number of characters and their types, history depth, number of days to change a password, and password expiration. Administering User and System Security Boot attributes These attributes control boot authentication, defining which users are authorized to boot the system into single-user mode. See boot authentication information in Chapter 1. Switch user (su) attributes These attributes define the PATH environment value, root group name for the su command, and whether or not su should propagate certain environment variables. See su(1) for more information. Audit attribute This attribute controls whether or not users are to be audited. The audit attribute is checked during the login process. See audit(5) for more information about HP-UX auditing. umask attribute This attribute controls umask() of all sessions initiated by pam_unix or pam_hpsec. See pam_unix(5) and pam_hpsec(5) for more information. The umask attribute is checked during the login process. The • • • • • system uses these files to process the attributes: /etc/default/security /var/adm/userdb /etc/security.dsc /etc/passwd /etc/shadow Each attribute has a per-user value in only one of these locations: /etc/password, /etc/shadow, or the user database in /var/adm/userdb. Each attribute and its per-user location are explained in the security(4) manpage. The system checks what attributes apply in the following ways: • The system examines the per-user attribute values in the /var/adm/userdb user database, the /etc/passwd file, or the /etc/shadow file. • If there is no per-user value, then the system examines the configurable systemwide default attributes in /etc/default/security. • If there are no configurable systemwide default attributes, then the system uses the default attributes in /etc/security.dsc. The security attributes description file, /etc/security.dsc, lists the attributes you can define /etc/default/security and in the user database in /var/adm/userdb. Some attributes are configurable and some are internal. Do not modify the /etc/ security.dsc file in any way. 2.5 Defining System Security Attributes 47 2.5.1 Configuring Systemwide Attributes The following steps explain how to define security attributes on a systemwide basis. 1. Review the security(4) manpage, which explains the configurable systemwide default values for attributes. These attributes are configured in the /etc/default/ security file, which is also explained in the security(4) manpage. If an attribute is not defined in the /etc/default/security file, then the default value defined in the /etc/security.dsc file will be used by the system. See the userdb(4) manpage for an explanation of the /etc/security.dsc file. 2. To change a configurable systemwide default, edit the security defaults file, /etc/ default/security, with a text editor such as vi. The file is world readable and root writable. Each line in the /etc/default/security file is either a comment or attribute configuration information. Comment lines begin with a pound (#) sign. Noncomment lines are in the form of attribute=value pairs, for example, PASSWORD_MAXDAYS=30. 2.5.2 Configuring Per-User Attributes Use the following commands to configure specific attributes for individual users. When you configure per-user attributes, they override the systemwide defaults. userdbset Changes the attribute for the specified user to override the systemwide default defined in the /etc/default/security file. For an example, see Section 2.5.2.1, and see userdbset(1M) for more information. userdbget Displays the user-defined values for a specific user or all users. See userdbget(1M) for more information. userdbck Verifies or fixes the user-defined values. See userdbck(1M) for more information. For example, you can change PASSWORD_MAXDAYS from 60 to 30 days only for user amy. The password for amy is valid for 30 days instead of 60 days. For all other users, the systemwide value of 60 days applies. Use the following procedure to change an attribute value for a user: 1. 2. 3. 48 Review the security(4) manpage, which explains the systemwide attributes and values, and how to set a per-user value. Not all attributes have a per-user value. Review the manpages for the userdbset, userdbget, and userdbck commands. Decide which users to modify and which attributes will apply to them. For example, you might want to have users in an accounting department change their passwords every 30 days and a classroom of students change their passwords every quarter. Administering User and System Security 4. Use the userdbset command to change an attribute for a user. The per-user information is stored in a user database in the /var/adm/userdb directory. The user database is described in the userdb(4) manpage. You cannot use the userdbset command to configure all attributes. Some per-user values are defined in the /etc/passwd and /etc/shadow files. For more information, see security(4). 5. Use the userdbget command to get user information. 2.5.2.1 Examples of Defining User-Specific Attributes with userdbset In the following example, the userdbset command deletes all user-defined attributes for user joe. When joe logs in, the systemwide defaults in /etc/default/security will then apply to joe. # /usr/sbin/userdbset -d -u joe Next, userdbset sets the minimum password length to 7 and sets UMASK to 0022 (octal 022). These changes apply only to joe. # /usr/sbin/userdbset -u joe MIN_PASSWORD_LENGTH=7 UMASK=0022 In the next example, userdbset displays all attributes for user amy: # /usr/sbin/userdbget -u amy amy AUDIT_FLAG=1 amy DISPLAY_LAST_LOGIN=0 In the display, the audit flag is enabled and the last login feature is disabled for amy. 2.5.2.2 INACTIVITY_MAXDAYS and the Shadow Password File The INACTIVITY_MAXDAYS attribute defined in the /etc/default/security file controls whether to expire inactive accounts on a systemwide basis. To override the systemwide default and configure INACTIVITY_MAXDAYS on a per-user basis, use the useradd -f command or the usermod -f command. Use the userdel command to delete the per-user configuration. See useradd(1M), usermod(1M), and userdel(1M) manpages for more information. You cannot use the userdbset command to configure the INACTIVITY_MAXDAYS on a per-user basis. The INACTIVITY_MAXDAYS attribute is related to the inactivity field of the shadow password file. The useradd and usermod commands modify the inactivity field of the shadow password file for the specified user. See the description of INACTIVITY_MAXDAYS in the security(4) manpage for more information. 2.5.3 Troubleshooting the User Database Use the following procedures to troubleshoot the user database. Problem 1: A user's security attributes seems to be misconfigured. If you suspect that user information is misconfigured in the user database, run the following command: 2.5 Defining System Security Attributes 49 # userdbget -u username The attributes configured for the user username are displayed. If an attribute is misconfigured, reconfigure the attribute. Problem 2: The user database is not functioning properly. database, enter the following command: If you need to check the user # userdbck The userdbck command identifies and repairs problems in the user database. 2.6 Handling setuid and setgid Programs Because they pose a potential security risk to the system, note which programs are setuid (set user ID) and setgid (set group ID) programs. A system attacker can exploit setuid and setgid programs, most often in one of two ways: • • By having a setuid or setgid program execute commands defined by the attacker, either interactively or by script. By substituting bogus data for the data created by a program. Follow these guidelines to secure setuid and setgid programs: • • • Watch for any changes to setuid and setgid programs. Investigate further any programs that appear to be unnecessary setuid programs. Change the permission of a program that is unnecessarily a setuid program to a setgid program. See chmod(1) and chmod(2) for more information. The long form of the ls command (ll or ls -l) shows setuid programs by listing S or s instead of - or x for the owner-execute permission. It shows setgid programs by listing S or s instead of - or x for the group-execute permission. You can expect to find setuid and setgid system files, but they should have the same permissions as provided by the factory media, unless you have customized them. • • • 50 Do not allow users to normally have setuid programs, especially when they use setuid to users other than themselves. Examine the code of all programs imported from external sources for destructive programs known as Trojan Horses. Never restore or install a setuid program for which you have no source to examine. To allow users access to certain superuser programs, HP recommends that you use Restricted SMH. Restricted SMH allows non-superusers to access particular areas of SMH. See smh(1M) for details. Administering User and System Security 2.6.1 Why setuid and setgid Programs Can Be Risky Whenever any program is executed, it creates a process with four ID numbers—real and effective user ID (ruid and euid) and real and effective group ID (rgid and egid). Typically, these ID pairs are identical. However, running a setuid or setgid program changes the euid or egid of the process from that associated with the owner to that of the object. The processes spawned acquire their attributes from the object, giving the user the same access rights as the program's owner and group. • • • • If the setuid bit is turned on, the privileges of the process are set to that of the owner of the file. If the setgid bit is turned on, the privileges of the process are set to that of the group of the file. If neither the setuid nor the setgid bit is turned on, the privileges of the process are unchanged. As a particularly risky case, if a program is setuid to root, the user gains all privileges available to root. This is dangerous because the program can be used in a way that violates system security. To a lesser extent, this problem exists in other setuid and setgid cases as well. For security reasons, the setuid and setgid bits on scripts are normally ignored by the HP-UX kernel. This rule can be relaxed by changing the tunable secure_sid_scripts, but it is strongly recommended that this tunable be not changed from the default. For more information on this tunable, see secure_sid_scripts(5). 2.6.2 How IDs Are Set IDs are set in these different ways: • • • • • The ruid and rgid are inherited from the login process, which sets your uid and gid. The uid and gid values are specified in /etc/passwd. The login command also changes the ruid, euid, rgid, and egid. The su command changes the euid and ruid. The newgrp command can change the gid. Set the setuid and setgid bits by using the chmod system call or chmod command. See chmod(1) and chmod(2) for more information. 2.6.3 Guidelines for Limiting Setuid Power Use caution if you add setuid-to-root programs to an existing system. Adding a setuid-to-root program changes the system configuration and might compromise security. 2.6 Handling setuid and setgid Programs 51 Enforce restrictive use of privileged programs through the following administrative and programming recommendations: • • • • • • • • • • • • • • Use setuid and setgid only when absolutely necessary. Make sure that no setuid program is writable by others. Whenever possible, use setgid instead of setuid to reduce the scope of damage that might result from coding flaws or breaches of security. Periodically search the file systems for new or modified setuid and setgid programs. You can use the ncheck -s command. Know exactly what the setuid and setgid programs do, and verify that they do only what is intended. Failing this, remove the program or its setuid attribute. If you must copy a setuid program, make sure that the modes are correct on the destination file. Write setuid programs so that they can be tested on noncritical data, without setuid or setgid attributes. Apply these attributes only after the code has been reviewed and all affected departments are satisfied that the new programs maintain security. Make sure that a setuid program does not create files writable by anyone other than its intended user. Reset the euid before an exec* system call. Be aware that exec* can be called within other library routines, and be wary of using routines (including popen, system, execlp, and execvp) that fork a shell to execute a program. See exec(2), popen(3S), and system(3S) for more information. When writing setuid programs, use setresuid around the pieces of code that require privileges, to reduce the window of vulnerability. See setresuid(2) for more information. Close all unnecessary file descriptors before calling exec*. Ensure that all variables (PATH, IFS) and the umask value in the program's environment are sufficiently restrictive. Do not use the creat system call to make a lock file. Use lockf or fcntl instead. See lockf(2) and fcntl(2) for more information. Be especially careful to avoid buffer overruns, for example, by using sprintf, strcpy, and strcat without proper parameter length validation. See printf(3S) and string(3C) for more information. 2.7 Preventing Stack Buffer Overflow Attacks The passing of large amounts of data to a program is called a stack buffer overflow attack. Usually, the data contains commands that the program is tricked into executing. These attacks are used to gain unauthorized access to the system, to destroy or alter data, or to cause denial of service to legitimate users. To monitor for stack buffer overflow attacks, watch for the following changes: 52 Administering User and System Security • • A setuid program executing other programs. A program unexpectedly gaining a user ID of zero (0). The user ID of zero is for superuser or root only. To prevent stack buffer overflow attacks: • Enable the executable_stack kernel tunable parameter. • Use the chatr +es command. The executable_stack kernel tunable parameter enables you to prevent a program from executing code from its stack. This guards against an intruder passing illegal data to a program, thereby causing the program to execute arbitrary code from its program stack. The executable_stack kernel tunable parameter globally enables or disables stack buffer overflow protection. A setting of 0 (zero) causes stacks to be nonexecutable and is preferred for security reasons. By default, for backward compatibility, executable_stack is set to 1, which allows stack execution and therefore no protection. Use HP SMH or the kmtune command to change the value of executable_stack. An additional way to manage stack buffer overflow protection is to use the +es option of the chatr command. For example, if executable_stack is set to zero but a program does need to execute its stack, use the following chatr command to allow stack execution for that program: # chatr -es enable program For more information, see chatr(1), kmtune(1M), and executable_stack(5). 2.8 Protecting Unattended Terminals and Workstations Unattended workstations and terminals are extremely vulnerable to unauthorized users. Like a front door left unlocked, they are open to anyone. This section explains the following ways to reduce that risk: • • • Control access using /etc/inittab and run levels. Edit /etc/inittab to identify which devices should run at different run levels. Protect terminal device files by denying world access to user terminal sessions. Configure the screen lock. 2.8.1 Controlling Access Using /etc/inittab and Run Levels A run level is a system state in which a specific set of processes is permitted to run. The processes and default run levels are defined in /etc/inittab. Run levels are 0 through 6, s, or S. If a process is not at the same run level as the system, it is terminated. If a process is at the same run level, it is started or it continues to execute. Following is an example to enable terminals and modems to be run at selected run levels. Both ttp1 and ttp2 are at run levels 2 and 3. 2.8 Protecting Unattended Terminals and Workstations 53 ttp1:23:respawn:/usr/sbin/getty -h tty0p1 9600 ttp2:23:respawn:/usr/sbin/uugetty -h ttypd0p2 9600 Following is an example of changing run levels after normal work hours to disable terminals and modems using a cron job. During the day, the run level is 3 and the ttp1 and ttp2 terminals can be used because they are at run levels 2 and 3. At 8:00 a.m. from Monday through Friday, the system run level is set to 3: # crontab -e 0 8 * * 1-5 /sbin/init 3 0 17 * * * /sbin/init 4 At 5:00 p.m. every day (the 17 in the previous example means 1700 hours or 5:00 p.m.), the system run level is changed to 4. The ttp1 and ttp2 terminals cannot operate after 5:00p.m. because they are at run levels 2 and 3. 2.8.2 Protecting Terminal Device Files If an intruder gains access to an open terminal, they can redirect a command to another terminal window. In the following example, a remove (rm) command is redirected to /dev/tty0p0: # echo "\r rm -r / \r\033d" > /dev/tty0p0 To prevent messages from writing to a terminal, you can use the mesg -n (or mesg n) command. This command revokes write permissions to users who do not have the appropriate privileges. See mesg(1) and write(1) for more information. # vi ~/.shrc mesg n Another way to protect the workstation or terminal is to use the xhost command. See xhost(1) for more information. The xhost command defines the names of hosts and users who are allowed to make connections to the workstation. # xhost +Another.system To allow all systems and users to access the workstation, thereby turning access control off, use the following command: # xhost + 2.8.3 Configuring the Screen Lock This section discusses how to configure the screen lock using the TMOUT variable and the CDE lock manager. 2.8.3.1 Configuring the TMOUT Variable You can configure the TMOUT variable to automatically lock inactive terminals. 54 Administering User and System Security If you use other systems often and if you copy the .profile file from one system to another, then adding the TMOUT variable to the .profile is more convenient. If you typically stay on one system, then either method of locking the terminal can be used. To configure the TMOUT variable, edit the .profile file as shown in the following: # vi ~/.profile export TMOUT=600 # (lock after 600 seconds of inactivity) You can change the 600 to another desired value. 2.8.3.2 Configuring the CDE Lock Manager You can configure the CDE lock manager to lock your screen after a certain amount of inactive time. To configure the CDE lock manager to lock the screen after 10 minutes of inactive time, enter the following commands: # cp /usr/dt/config/C/sys.resources /etc/dt/config/C/sys.resources # vi /etc/dt/config/C/sys.resources dtsession*lockTimeout: 10 You can also use the Style Manager task panel to adjust the CDE lock manager. To do this, click on the screen icon. 2.9 Protecting Against System Access by Remote Devices To protect against system penetration by remote access, observe the following precautions: • • • • • • • Require the use of a hardware dial-back system for all interactive modems. Require an additional password from modem users by adding an entry for the modem device in /etc/dialups and, optionally, /etc/d_passwd. See Section 2.9.1. Have users renew their dial-in accounts frequently. Cancel system access promptly when a user is no longer an employee. Establish a regular audit schedule to review remote usage. Connect the modems and dial-back equipment to a single HP-UX system, and allow network services to reach the destination system from that point. Make exceptions to dial-back for UUCP access. Additional restrictions are possible through proper UUCP configuration. See uucp(1) for more information. Another potential exception is file transfer via kermit. See kermit(1) for more information. • • If a security breach with unknown factors occurs, shut down both network and telephone access and inform the network administrator. To maximize security when configuring a dial-back modem system, dedicate the dial-out mechanism to the dial-out function only. Do not configure it to accept dial-in. Use another modem on another telephone line for your dial-in service. 2.9 Protecting Against System Access by Remote Devices 55 • • • • • Keep telephone numbers for modems unlisted and on a different system from other business phones. Do not publicize the dial-in phone numbers. Physically secure the modems. Use caller ID to identify all incoming calls to the modems. Do not allow call forwarding or other extra phone services on the modem lines. Do not use cell phone modems. For remote and local access, consider installing an HP-UX AAA server product. Using the industry-standard Remote Authentication Dial-In User Service (RADIUS) protocol, the HP-UX AAA Server provides authentication, authorization, and accounting of user network access at the entry point to a network. See the HP-UX AAA Server Administrator's Guide for more information. 2.9.1 Controlling Access Using /etc/dialups and /etc/d_passwd For additional security in identifying remote users, add entries into the /etc/dialups and /etc/d_passwd files. These files are used to control the dialup security feature of login. See dialups(4) and login(1) for more information. If the /etc/dialups file exists, the login process compares the terminal to those listed in /etc/dialups. If the terminal exists in /etc/dialups, a password is requested by login. That password is compared to those in /etc/d_passwd. In addition, the /etc/passwd file is used to verify the password. Following is an example of configuring the /etc/dialups file: # vi /etc/dialups (list the terminals that are allowed) /dev/ttyd0p1 /dev/ttyd0p2 # vi /etc/d_passwd /usr/bin/sh:xxxencrypted-passwordxxxxxxxxx:comments /usr/bin/ksh:xxxencrypted-passwordxxxxxxxx:comments /sbin/sh:xxxencrypted-passwordxxxxxxxxx:comments The user sees: Login: Password: Dialup password: To change passwords in /etc/d_passwd, use the passwd command as follows: # passwd -F /etc/d_passwd shell_path The shell_path is the shell path listed in /etc/d_passwd. 56 Administering User and System Security 2.10 Securing Login Banners Login banners are often used to display such system information as the system name, release version, and purpose of the system. This information can help an unauthorized user to learn more about the system. Following are some guidelines for creating more secure login banners: • • • Consult the legal department to determine an appropriate message. Add a warning to the banner message prohibiting unauthorized use. Be consistent in what is displayed in all banners regardless of the login method. You can modify a banner in the following ways: • Modify the login banner defined in /etc/copyright and /etc/motd. • Modify the telnet banner defined in/etc/issue. The telnetd -b banner file command defines a custom banner. To use /etc/issue as the login banner, add the following lines to the /etc/inetd.conf file: telnet stream tcp nowait root /usr/lbin/telnetd \ telnetd -b /etc/issue When inetd starts telnetd, the banner in /etc/issue is used. See inetd(1M), telnetd(IM), and inetd.conf(4) for more information. • Modify the ftp banner defined in /etc/ftpd/ftpaccess, which is the ftpd configuration file. Other displayed messages are defined in /etc/ftpd/ ftpaccess: greeting, banner, host name, and message. See ftpdaccess(4) and ftpd(1M) for more information. Following is an unsecured telnet example showing a login banner: # telnet computerAmy The telnet login banner shows the release version and machine type. If an unauthorized user tries to use telnet to access computerAmy, this might be too much information. Following is a telnet example showing a more secure login banner: $ telnet computerMom Trying... Connected to computerMom.city.company.com. Escape character is '^]'. Local flow control on Telnet TERMINAL-SPEED option ON ************************************************************** This is a private system operated for Hewlett-Packard company business. Authorization from HP management is required to use this system. Use by unauthorized persons is prohibited. ************************************************************* login: Connection closed by foreign host. 2.10 Securing Login Banners 57 2.11 Protecting the root Account Following are suggestions for protecting the root account: • Do not share the root password. • Do not use / as the root home directory. • Examine output from last -R and lastb -R for unusual or failed root logins and to see who has logged in as root. • Examine /var/adm/sulog for attempts to use the su root command. • Look for unauthorized accounts with a UID of zero (0); use the logins -d command. The following sections discuss how to protect the root account in more detail. 2.11.1 Monitoring root Account Access If you have two or more system administrators that need root access, following are some suggestions for how to track them: • Allow only direct root logins on the system console. Create the /etc/securetty file with the single entry, console, as follows: #echo console > /etc/securetty This restriction applies to all login names that have a UID of zero (0). See login(1) for more details. • Require administrators to use the su root command from their personal account to access root. For example: login:me $ su root password:xxxx • Monitor /var/adm/sulog to see who has accessed root using su. • Configure a separate root account for each system administrator. # vipw root:xxx:0:3::/home/root:/sbin/sh root1:xxx:0:3::/home/root1:/sbin/sh root2:xxx:0:3::/home/root2:/sbin/sh • Monitor each system administrator's history file as follows: #more ~root1/.sh_history #more ~root2/.sh_history • Monitor successful and failed su attempts in /var/adm/syslog. 2.11.2 Using the Restricted SMH Builder for Limited Superuser Access If you need to give limited superuser access to a nonsuperuser, you can activate the Restricted SMH Builder. Using the Restricted SMH Builder, you can enable or disable selected SMH areas for the user. To activate the Restricted SMH Builder, enter: 58 Administering User and System Security # smh -r When users with restricted access execute SMH, they will have superuser status in the defined areas and will only see those SMH areas in the menu. All other areas of SMH will be hidden from the user. When users without access permissions execute SMH, they will receive an error message stating they must be superuser. You can also add more applications to SMH and set them up for restricted access. 2.11.3 Reviewing Superuser Access The /var/adm/sulog file logs all attempts of the su root command including failures. Successful attempts are flagged with a plus (+) and failures are flagged with a minus (-). Only root can view the /var/adm/sulog file. For example: # su root Password: # ll /var/adm/sulog -rw------- 1 root root 690 Aug 17 19:37 /var/adm/sulog In the following example, userone has successfully used the su command to access root. A second user, usertwo, has not been successful. In addition, usertwo has not been successful in using su to access gooduser1 either. # more /var/adm/sulog SU 08/17 19:10 + 0 userone-root SU 08/17 19:36 - 0 usertwo-root SU 08/17 19:36 - 0 usertwo-root SU 08/17 19:36 + 0 userone-root SU 08/17 19:37 - 0 usertwo-gooduser1 2.11 Protecting the root Account 59 60 3 HP-UX Standard Mode Security Extensions This chapter describes the HP-UX Standard Mode Security Extensions (HP-UX SMSE). The following topics are discussed: • Overview (Section 3.1) • Security attributes and the user database (Section 3.2) 3.1 Overview HP-UX Standard Mode Security Extensions (HP-UX SMSE) is a group of features that enhances both user and operating system security. HP-UX SMSE includes enhancements or changes to the HP-UX auditing system, passwords, and logins for systems in standard mode. Previously, these features were supported only on systems converted to trusted mode. With HP-UX SMSE, you can use these features on a standard mode system. NOTE: HP does not recommend that you use HP-UX SMSE on systems running in trusted mode. HP-UX SMSE makes available in standard mode many account and password policies currently available only by converting an HP-UX system to trusted mode. Policies configured with HP-UX SMSE are not enforced on systems running in trusted mode. To determine whether a system has been converted to trusted mode, check for the following file: /tcb/files/auth/system/default If this file exists, the system is running in trusted mode. To convert the system back to standard mode, use the sam(1M) command. Refer to security(4) for more information on configurations supported with each of the HP-UX SMSE security features. HP-UX SMSE offers a new feature, user database. Previously, all HP-UX security attributes and password policy restrictions were set on a systemwide basis. The introduction of the user database enables you to set security attributes on a per-user basis that overrides systemwide defaults. The following trusted mode features are available in standard mode with HP-UX SMSE: • • • • • • • Audit all users and events on a system Display the last successful and unsuccessful user logins Lock a user account if there are too many authentication failures Display password history Expire inactive accounts Prevent users from logging in with a null password Restrict user logins to specific time periods 3.1 Overview 61 • • Usage of the userdbset command can be restricted based on a user’s authorizations. See userdbset(1M) for more information. The userstat command displays the account status of local users. It checks the status of local user accounts and reports abnormal conditions, such as account locks. See userstat(1M) for more information. 3.2 Security Attributes and the User Database Previously, in standard mode, all HP-UX security attributes and password policy restrictions were set on a systemwide basis. The introduction of the user database enables you to set security attributes on a per-user basis, which override systemwide defaults. 3.2.1 System Security Attributes A security attribute defines how to control security configurations, such as passwords, logins, and auditing. The security attributes description file, /etc/security.dsc, lists the attributes that can be defined either in /etc/default/security, in the user database in /var/adm/userdb, or in both files. Some attributes are configurable and some are internal. CAUTION: Do not modify the /etc/security.dsc file in any way. When a user logs in, the system checks for applicable security attributes in the following order: 1. The system examines per-user attributes in the following locations: • /var/adm/userdb • /etc/passwd • /etc/shadow NOTE: For each per-use attribute, a value is stored in one of the three files above. Refer to security(4) to see which attributes are stored in each file. 2. 3. If there is no per-user value, then the system examines the configured systemwide attributes in /etc/default/security. If there are no configured systemwide attributes, then the system uses the default attributes in /etc/security.dsc. 3.2.2 Configuring Systemwide Attributes To configure systemwide attributes, follow these steps: 1. 62 Plan your configuration using available resources. Refer to security(4) for information about configuring systemwide attributes. HP-UX Standard Mode Security Extensions 2. To change a systemwide default, edit the /etc/default/security file with a text editor such as vi. Comments begin with a pound sign (#). Attributes are written in attribute=value format. For example, to set the systemwide minimum number of uppercase characters in a password to two (2), enter the following values into /etc/default/security: PASSWORD_MIN_UPPER_CASE_CHARS=2 NOTE: Changes to systemwide security attributes do not take effect immediately. Password attributes take effect the next time users change their passwords. Login attributes take effect the next time users log in. 3.2.3 User Database Components The user database feature of HP-UX SMSE includes files, commands, manpages, and per-user attributes you can apply to specific users on your HP-UX system. All these elements of the user database are described in the following sections. 3.2.3.1 Configuration Files Table 3-1 briefly describes the files you use with the user database. Table 3-1 User Database Configuration Files File Description /var/adm/userdb Stores most per-user information. 3.2.3.2 Commands Table 3-2 briefly describes the commands you can use to modify and administer entries in the user database. Table 3-2 User Database Commands Command Description userdbset Changes attribute values configured in the user database. userdbget Displays attribute values configured in the user database. userdbck Verifies the integrity of the information in the user database. userstat Reports the status of local user accounts. 3.2.3.3 Attributes The following security attributes are available for individual users: 3.2 Security Attributes and the User Database 63 Table 3-3 User Attributes Attribute Description ALLOW_NULL_PASSWORD Allows or denies login with a null password. AUDIT_FLAG Audits or stops auditing the user. AUTH_MAXTRIES Defines the number of login failures allowed before a user is locked out of the system. DISPLAY_LAST_LOGIN Displays information about the user's last login. LOGIN_TIMES Restricts login time periods. MIN_PASSWORD_LENGTH Defines the minimum password length. NUMBER_OF_LOGINS_ALLOWED Defines the number of simultaneous logins allowed per user. PASSWORD_HISTORY_DEPTH Defines the password history depth. PASSWORD_MIN_LOWER_CASE_CHARS Defines the minimum number of lowercase characters required in a password. PASSWORD_MIN_UPPER_CASE_CHARS Defines the minimum number of uppercase characters required in a password. PASSWORD_MIN_DIGIT_CHARS Defines the minimum number of digit characters required in a password. PASSWORD_MIN_SPECIAL_CHARS Defines the minimum number of special characters required in a password. UMASK Defines the umask for file creation. NOTE: The previous list contains only security attributes that can be configured in the user database. For a complete list of HP-UX system security attributes, refer to security(4). 3.2.3.4 Manpages Table 3-4 briefly describes the manpages you use with the user database. Table 3-4 User Database Manpages 64 Manpage Description userdb(4) Provides an overview of the use of the user database. userdbset(1M) Describes userdbset functionality and syntax. userdbget(1M) Describes userdbget functionality and syntax. userdbck(1M) Describes userdbck functionality and syntax. userstat(1M) Describes the userstat functionality and syntax. HP-UX Standard Mode Security Extensions 3.2.4 Configuring Attributes in the User Database In previous HP-UX systems, security attributes and password policy restrictions were set a systemwide basis. With HP-UX SMSE, you can configure some security attributes on a per-user basis. Attributes configured per-user override systemwide configured attributes. To modify a user's attribute values, follow these steps: 1. Decide which users to modify and which attributes will apply to them. For example, you want user joe to be able to log in to the system only from 8am to 5pm on Mondays. 2. Change the attributes using the userdbset command as follows: # userdbset -u user-name attribute-name=attribute-value For example, to specify that user joe can log in to the system only from 8am to 5pm, enter: # userdbset -u joe LOGIN_TIMES=Mo0800-1700 3.2.5 Troubleshooting the User Database Use the following procedures to troubleshoot the user database. Problem 1: A user's security attributes seems to be misconfigured. If you suspect that user information is misconfigured in the user database, run the following command: # userdbget -u username The attributes configured for the user username are displayed. If an attribute is misconfigured, reconfigure the attribute. Refer to “Configuring Attributes in the User Database” for instructions. Problem 2: The user database is not functioning properly. database, run the following command: If you need to check the user # userdbck The userdbck command identifies and repairs problems in the user database. 3.2 Security Attributes and the User Database 65 66 4 Remote Access Security Administration HP-UX provides several remote access services, such as file transfer, remote login, remote command execution, management of IP addresses and network clients, routing protocols, mail exchange, network services, and a security mechanism spawned by inetd, the Internet super daemon. This • • • • • • chapter discusses the following topics: Overview of internet services and remote access services (Section 4.1) The inetd Daemon (Section 4.2) Protection against spoofing with TCP wrappers (Section 4.3) Secure internet services (Section 4.4) Controlling an administrative domain (Section 4.5) Securing remote sessions using HP-UX Secure Shell (SSH) (Section 4.6) 4.1 Overview of Internet Services and Remote Access Services This section provides brief descriptions of the authentication or authorization mechanism used by various Internet Services, and the security risks. For more information, see the HP-UX Internet Services Administrator's Guide and Using HP-UX Internet Services: http://www.hp.com/go/hpux-networking-docs Click HP-UX 11i v3 Networking Software. The HP-UX Internet Services provides authentication, either through password verification or authorization that is set up in a configuration file. See Table 4-1 for a list of Internet Services components and their access verification or authorization mechanism. Table 4-1 Internet Services Components and Access Verification, Authorization, and Authentication Internet Services Component Access Verification, Authorization, or Authentication Mechanism ftp (file transfer) Password verification. Also can use Kerberos authentication mechanism defined in /etc/inetsvcs.conf. See ftp(1). rcp (remote copy) Entry in $HOME/.rhosts or /etc/hosts.equiv file. Also can use Kerberos authentication mechanism defined in /etc/inetsvcs.conf. See rcp(1). rdist (remote file distribution) Entry in $HOME/.rhosts or /etc/hosts.equiv file. See rdist(1). remsh, rexec (execute from remote shell) Entry in $HOME/.rhosts or/etc/hosts.equiv file. Also can use Kerberos authentication mechanism defined in /etc/inetsvcs.conf. See remsh(1). 4.1 Overview of Internet Services and Remote Access Services 67 Table 4-1 Internet Services Components and Access Verification, Authorization, and Authentication (continued) Internet Services Component Access Verification, Authorization, or Authentication Mechanism rlogin (remote login) Password verification or entry in $HOME/.rhosts or /etc/hosts.equiv file. Also can use Kerberos authentication mechanism defined in /etc/ inetsvcs.conf. See rlogin(1). telnet (remote login using Password verification. If the TAC User ID option is enabled by the telnetd TELNET protocol) daemon, telnet uses $HOME/.rhosts or /etc/hosts.equiv file. See telnet(1) and telnetd(1M). NOTE: Information (including passwords) is passed between two systems in clear text and is not encrypted. Use Internet Services only between hosts that are well-known and defined to each other and within a private internal network behind a firewall. When communicating over an untrusted network, secure the communications using IPSec or Kerberos Remote Access Services connect remote systems in a network. By default, the remote access services function in a nonsecure environment. To function in a secure environment, enable the Kerberos V5 network authentication. In a nonsecure environment, you must have a login name and password to access a remote system, and the login name is not checked for authentication and authorization. In a secure environment, you need not have a login name and password. When you attempt to connect to a remote system, the Kerberos protocol checks if the user is allowed to access the remote system. 4.1.1 Securing ftp An unauthorized user might try to gain access to a system by using the ftp command. Following are some suggestions to prevent this problem: • • Enable ftp logging in /etc/inetd.conf by using the ftpd -l command. Review the ftp logs in /var/adm/syslog/syslog.log and /var/adm/ syslog/xferlog for unusual remote access attempts. See syslogd(1M) and xferlog(5). • Deny ftp access to guest, root, and other accounts by listing them in /etc/ ftpd/ftpusers. See ftpusers(4). • Regularly search and remove users' ~/.netrc files. The .netrc file contains login, password, and account information used by the ftp autologin process, by the rexec() library routine, and by the rexec command. See netrc(4). 68 Remote Access Security Administration 4.1.2 Securing Anonymous ftp If a $HOME/.rhosts file is put into /home/ftp, then an unauthorized user could use rlogin to log in as the user, ftp. The .rhosts file specifies hosts and users that are allowed access to a local account using rcp, remsh, or rlogin without a password. For more information, see hosts.equiv(4). Following are some suggestions to making anonymous ftp more secure: • Make sure that neither /home/ftp nor any of its children is writable: $chmod -R a -w /home/ftp • Make sure that the ftp entry in /etc/passwd is correctly configured: ftp:*:500:100:Anonymous FTP user:/var/ftp:/usr/bin/false • Make sure that all passwords in ~ftp/etc/passwd are asterisks (*): $more ~ftp/etc/passwd root:*:0:3::/:/usr/bin/false daemon:*:1:5::/:/usr/bin/false • If you must have a writable pub directory, use 1733 permissions: $chmod 1733 /home/ftp/pub • Use disk quotas or a cron job to control the size of /home/ftp/pub: 0 1 * * * find /home/ftp/pub/* -atime +1 exec rm -rf {} \; • Check anonymous ftp activity in /var/adm/syslog/syslog.log: $tail /var/adm/syslog/syslog.log 4.1.3 Denying Access Using /etc/ftpd/ftpusers The inetd daemon runs the file transfer protocol server, ftpd, when a service request is received at the port indicated in /etc/services. The ftpd server rejects remote logins to local user accounts which are listed in /etc/ftpd/ftpusers. These user accounts are known as restricted accounts. See ftpd(1M), privatepw(1), and services(4). In the /etc/ftpd/ftpusers file, each restricted account name must appear by itself on a line. Also add user accounts with restricted login shells that are defined in /etc/ passwd, because ftpd accesses local accounts without using their login shells. If /etc/ftpd/ftpusers does not exist, ftpd does not perform a security check. For more information, see ftpusers(4). On HP-UX 11i, the ftpd daemon is based on WU-FTPD. WU-FTPD is the HP implementation of the ftpd daemon developed at Washington University. WU-FTPD includes increased access control, enhanced logging capabilities, virtual hosts support, and RFC1413 (Identification Protocol) support.: For more information, see the HP-UX Remote Access Services Administrator's Guide: http://www.hp.com/go/hpux-networking-docs Click HP-UX 11i v3 Networking Software. 4.1 Overview of Internet Services and Remote Access Services 69 4.1.4 Other Security Solutions for Spoofing Spoofing is a method of pretending to be a valid user or host to gain unauthorized access to a system. Because IP addresses and hostnames can be spoofed, using the /var/adm/inetd.sec security file for inetd (the internet daemon) is not a guaranteed security solution. See Section 4.2 for information about inetd. The following security features or products are alternative security solutions: • IPFilter is a TCP/IP packet filter suitable for use as a system firewall to protect application servers. For information on HP-UX IPFilter, see the HP-UX IPFilter Administrator's Guide: www.hp.com/go/hpux-security-docs Click HP-UX IPFilter Software. • TCP Wrappers provides a TCP wrapper daemon, tcpd, that is invoked by inetd to provide additional security. For more information, see Section 4.3 and the HP-UX Internet Services Administrator's Guide: http://www.hp.com/go/hpux-networking-docs Click HP-UX 11i v3 Networking Software. • Secure Internet Services allows use of Kerberos authentication and authorization for ftp, rcp, remsh, rlogin, and telnet. Instead of user passwords, encrypted Kerberos authentication records transmit over the network. For more information, see the following: — Section 4.4 — Installing and Administering Internet Services: http://www.hp.com/go/hpux-networking-docs Click HP-UX 11i v3 Networking Software. — Configuration Guide for Kerberos Client Products on HP-UX: www.hp.com/go/hpux-security-docs Click HP-UX Kerberos Data Security Software. • IPSec, an IP security protocol suite, provides security for IP networks such as data integrity, authentication, data privacy, application-transparent security, and encryption. For information on HP-UX IPSec, see the HP-UX IPSec Administrator's Guide: www.hp.com/go/hpux-security-docs Click HP-UX IPSec Software. 4.2 The inetd Daemon The Internet daemon, /usr/sbin/inetd, is the master server for many Internet Services. 70 Remote Access Security Administration The inetd daemon is usually started automatically by the /sbin/init.d/inetd script as part of the boot process. The inetd daemon monitors for connection requests for the services listed in the /etc/ inetd.conf configuration file, and spawns the appropriate server on receiving a request. In other words, users connect to remote systems by using an Internet Service, such as telnet. The inetd daemon determines if a telnet connection from the host is allowed before completing the connection. The host information for allowing or denying access is in the /var/adm/inetd.sec file. The inetd daemon works as follows: 1. 2. 3. 4. 5. 6. 7. 8. Starts at run level 2 during system boot. (if the following command is in the system startup script: /sbin/init.d/inetd start) Checks /etc/inetd.conf to determine which services to provide. For more information, see ftp(1) and inetd.conf(4). Checks /etc/services to determine which ports to monitor for the services listed in /etc/inetd.conf. The /etc/services file maps service names to port numbers. For more information, see services(4). Receives an Internet Service connection request from a client. For example, someone runs telnet. Consults /var/adm/inetd.sec to determine if the client is permitted access. For more information, see inetd.sec(4). Logs the request in /var/adm/syslog/syslog.log if logging is enabled. For more information, see syslogd(1M). If inetd refuses the connection for security reasons, the connection is shut down. If the connection request is valid, inetd starts a server process to handle the valid connection request. The server process can have other security features in addition to inetd. 4.2.1 Securing inetd The /etc/inetd.conf file is the inetd configuration file, which lists the services that the inetddaemon can start. Each service listed in /etc/inetd.conf must also appear in the /etc/services file. The /etc/services file maps service names to port numbers. Each port number has an associated protocol name, such as tcp or udp. Every entry for a protocol must have a matching entry in the /etc/protocols file. The following suggestions can make inetd more secure: • Enable inetd logging in /etc/rc.config.d/netdaemons. For more information, see rc.config.d(4). • Review /etc/inetd.conf and /etc/services for changes. An unauthorized user might have gained root access and modified the /etc/services and /etc/ inetd.conf files. In /etc/inetd.conf, look for names of services you are not using. In /etc/services, look for port numbers that are not registered with the 4.2 The inetd Daemon 71 • • • Internet Assigned Numbers Authority (IANA) at http://www.iana.org. Verify that the port numbers listed for Internet Services match port numbers registered with IANA. Comment out unnecessary services, such as finger, in /etc/inetd.conf. The finger command displays user information without needing a password. Comment out Remote Procedure Calls (RPC) services in /etc/inetd.conf. Comment out inetd "internal trivial" services in /etc/inetd.conf to avoid denial-of-service attacks. A malicious user might overload inetd with chargen (character generator) requests. For more information, see inetd(1M) and inetd.conf(4). 4.2.1.1 Denying or Allowing Access Using /var/adm/inetd.sec In addition to configuring the /etc/inetd.conf file, you can configure an optional security file called /var/adm/inetd.sec to restrict access to the services started by inetd. The /var/adm/inetd.sec file lists which hosts are allowed or denied access to each service. For more information, see inetd.conf(4). For example: login allow 10.3-5 192.34.56.5 ahost anetwork login deny 192.54.24.5 cory.example.edu.testlan 4.3 Protection Against Spoofing with TCP Wrappers Transmission Control Protocol (TCP) Wrappers provide enhanced security for services spawned by inetd. TCP Wrappers are an alternative to using /etc/inetd.sec. TCP Wrappers provide protection against host name and host address spoofing. Spoofing is a method of pretending to be a valid user or host to gain unauthorized access to a system. To prevent spoofing, TCP Wrappers uses Access Control Lists (ACLs). The ACLs are lists of systems in the /etc/hosts.allow and /etc/hosts.deny files. TCP Wrappers provide some protection against IP spoofing when configured to verify host name to IP address mapping and to reject packets with IP source routing. However, TCP Wrappers do not provide cryptographic authentication or data encryption. Like inetd, information is passed in clear text. TCP Wrappers are part of the HP-UX Internet Services software. For more information, see the HP-UX Internet Services Administrator's Guide: http://www.hp.com/go/hpux-networking-docs Click HP-UX 11i v3 Networking Software. You can also see the following manpages: tcpd(1M), tcpdmatch(1), tcpdchk(1), tcpd.conf(4), hosts_access(3), hosts_access(5), and hosts_options(5). 72 Remote Access Security Administration When you enable TCP Wrappers, inetd runs a TCP wrapper daemon, tcpd, instead of running the requested service directly. The TCP Wrappers work as follows: 1. 2. 3. 4. 5. Clients send connection requests to inetd as they normally do, for example, telnet. Instead of invoking the server process, inetd calls the TCP Wrapper daemon (tcpd). The TCP Wrapper daemon determines the validity of the client's connection request. The tcpd daemon logs the request and checks the access control files (/etc/ hosts.allow and /etc/hosts.deny). If the client is valid,tcpd calls the appropriate server process. The server process processes the client's request, for example, the telnet connection completes. 4.3.1 Additional Features of TCP Wrappers You can also define configuration parameters in the /etc/tcpd.conf configuration file, such as logging behavior, user name lookups, and reverse look up failure behavior. The tcpd daemon reads this configuration file to look for configuration parameters during run time. You can configure the /etc/hosts.allow and /etc/hosts.deny files for other security features, such as trap setting and banner message. The trap setting feature of TCP Wrappers enables you to trigger appropriate action on the host depending upon the number of denied connection attempts from a remote host. The banner message feature causes a message to be sent to the client when an ACL rule is included in an access control file. 4.3.2 TCP Wrappers Do Not Work with RPC Services TCP Wrappers do not work with remote procedure call (RPC) services over TCP. These services are registered as rpc or tcp in the /etc/inetd.conf file. The only important service that is affected by this limitation is rexd, used by the on command. 4.4 Secure Internet Services Secure Internet Services (SIS) is an optionally enabled mechanism that incorporates Kerberos V5 authentication and authorization for remote access services: ftp, rcp, remsh, rlogin, and telnet. Secure Internet Services is part of the HP-UX Internet Services product, which is documented in Using HP-UX Internet Services: http://www.hp.com/go/hpux-networking-docs Click HP-UX 11i v3 Networking Software. You can also see the following manpages: 4.4 Secure Internet Services 73 sis(5), kinit(1), klist(1), kdestroy(1M), krbval(1M), k5dcelogin(1M), inetsvcs_sec(1M), and inetsvcs(4). When you run SIS commands, the security is enhanced because you no longer have to transmit a password in readable form over the network. NOTE: The SIS libraries do not encrypt the session beyond what is necessary to authorize you or to authenticate the service. Therefore, these services do not provide integrity checking or encryption services on the data or on remote services. To encrypt the data, use OpenSSL. For more information, see the OpenSSL Release Notes: www.hp.com/go/hpux-security-docs Click HP-UX OpenSSL Software. When two systems are operating in a Kerberos V5-based secure environment, Secure Internet Services ensures that a local and remote host are identified to each other in a secure and trusted manner and that the user is authorized to access the remote account. For ftp/ftpd, rlogin/rlogind, and telnet/telnetd, the Kerberos V5 authentication mechanism sends encrypted tickets instead of a password over the network to verify and to identify the user. For rcp/remshd and remsh/remshd, the secure versions of these services ensure that the user is authorized to access the remote account. 4.5 Controlling an Administrative Domain All network administration programs should be owned by a protected, network-specific account, such as uucp, nso, or by a daemon, instead of by root. An administrative domain is a group of systems connected by network services that allow users to access one another without password verification. An administrative domain assumes that system users have already been verified by their host system. Use the following steps to identify and control an administrative domain: 1. List the nodes to which you export file systems in /etc/exports. The /etc/ exports file contains entries of a file system path name and a list of systems or groups of systems that are allowed access to the file system. The /etc/exports entries might contain names of groups of systems. You can find out what individual systems are included in a group by checking /etc/netgroup. 2. List the nodes that have equivalent password databases in /etc/hosts.equiv. 3. Verify that each node in the administrative domain does not extend privileges to any nodes that are not included. Repeat steps 2 and 3 for each node in the domain. 4. Control root and local security on every node in the administrative domain. A user with superuser privileges on any machine in the domain can acquire those privileges on every machine in the domain. 74 Remote Access Security Administration 5. 6. Maintain consistency of user name, uid, and gid among password files in the administrative domain. Maintain consistency among any group files on all nodes in the administrative domain. For example, to check consistency with the hq and mfg systems, if the root file system of the mfg system is remotely mounted to hq as /nfs/mfg/, enter the following diff command: $diff /etc/group /nfs/mfg/etc/group If any differences are displayed, the two /etc/group files are inconsistent and they should not be. 4.5.1 Verifying Permission Settings on Network Control Files The network control files in the /etc directory are security targets because they provide access to the network itself. Network control files should never be writable by the public. Set the modes, owners, and groups on all system files carefully. Check these files regularly for any changes and correct any changes. The most commonly used network control files are as follows: • /etc/exports List of file directories that can be exported to NFS clients. For more information, see exports(4). • /etc/hosts List of network hosts and their IP addresses. For more information, see hosts(4). • /etc/hosts.equiv List of remote hosts that are allowed access and that are equivalent to the local host. For more information, see hosts.equiv(4). • /etc/inetd.conf Internet Services configuration file. For more information, seeinetd.conf(4). • /etc/netgroup List of networkwide groups. For more information, seenetgroup(4). • /etc/networks List of network names and their network numbers. For more information, see networks(4). • /etc/protocols List of protocol names and numbers. For more information, see protocols(4). • /etc/services List of official service names and aliases with the port number and protocol that the services use. For more information, see services(4). 4.5 Controlling an Administrative Domain 75 4.6 Securing Remote Sessions Using HP-UX Secure Shell (SSH) HP-UX Secure Shell is based on the OpenSSH product, an open source SSH product (http://www.openssh.org). It enables a secure connection between a client and a remote host over an otherwise insecure network. Following are the key attributes of this secure connection: • • • Strong authentication for both client and the remote host. Strong encryption and public key cryptography for communication between a client and the remote host. A secure channel for the client to use to execute commands on the remote host. HP-UX Secure Shell offers a secure replacement for such commonly used functions and commands as telnet, remsh, rlogin, ftp, and rcp. For HP-UX Secure Shell documentation see the ssh(1) manpage for the ssh client and to the sshd(8) manpage for the sshd server. Both manpages include references to the other HP-UX Secure Shell manpages that come with the product. Also see the HP-UX Secure Shell Release Notes: www.hp.com/go/hpux-security-docs Click HP-UX 11i Secure Shell Software. 4.6.1 Key Security Features of HP-UX Secure Shell The key security features of HP-UX Secure Shell include the following: • Strong encryption All communication between the client and the remote host is encrypted using patent-free encryption algorithms, such as Blowfish, 3DES, AES, and arcfour. Authentication information, such as passwords, is never sent in clear text across the network. Encryption in conjunction with strong public key-based cryptography also provides protection against potential security attacks. • Strong authentication HP-UX Secure Shell supports a strong set of authentication methods between client and server. The authentication can be two-way: the server authenticates the client, and the client authenticates the server. This protects the session against a variety of security issues. The supported authentication methods are described Section 4.6.5. • Port forwarding The redirection of TCP/IP connections between a client and a remote host (and back) is referred to as port forwarding or SSH tunneling. HP-UX Secure Shell supports port forwarding. For example, ftp traffic between a client and a server (or email traffic between an email client and a POP/IMAP server) can be redirected using port forwarding. Instead of the client directly communicating with its server, the traffic 76 Remote Access Security Administration can be redirected to an sshd server over a secure channel, and the sshd server can then forward the traffic to a designated port on the real server machine. • Integration with underlying HP-UX security features. The HP-UX Secure Shell product is integrated with important HP-UX security features. For more information, see Section 4.6.7. 4.6.2 Software Components of HP-UX Secure Shell HP-UX Secure Shell software consists of a set of client and server components. See Table 4-2. Table 4-2 Software Components of HP-UX Secure Shell Component Description Location ssh Secure Shell client is a secure replacement for Client telnet and remsh; it is most similar to remsh with security features remsh, telnet, rlogin slogin Symbolic link to ssh Client remsh, telnet, rlogin scp Secure copy client and secure copy server Client and server rcp sftp Secure ftp client Client ftp sshd Secure shell daemon Server remshd, telnetd, rlogind sftp-server Secure ftp daemon Server ftpd ssh-rand-helper Random number generator, which is used Server when sshd is not able to find /dev/random or /dev/urandom on the server. HP-UX is shipped with a kernel-resident random number generator, rng. If rng is deconfigured, sshd uses prngd. Equivalent non-secure component(s) Not applicable ssh-agent Tool for "automatic" key-based login from client to server Client and server rhosts file mechanism ssh-add Tool for making key pairs of the client known to ssh-agent Client Not applicable ssh-keygen Tool for generating key pairs for public key authentication Client Not applicable 4.6 Securing Remote Sessions Using HP-UX Secure Shell (SSH) 77 Table 4-2 Software Components of HP-UX Secure Shell (continued) Component Description Location Equivalent non-secure component(s) ssh-keyscan Tool for a client to gather the public keys for Client a set of hosts running the Secure Shell daemon (sshd) Not applicable ssh-keysign Tools to generate the digital signature required Client during host based authentication is and it is used by ssh() to access the local host keys host based authentication Not applicable 4.6.3 Running HP-UX Secure Shell Before running any of the Secure Shell clients listed in Table 4-2, first start the Secure Shell server daemon, sshd. The sshd daemon obtains its initial configuration values from the sshd_config file, located in the /opt/ssh/etc directory on the server system. One of the most important configuration directives in sshd_config is the set of authentication methods supported by the sshd daemon. See Section 4.6.5 for more information. 4.6.3.1 Running the ssh Client The ssh client application establishes a socket connection with the sshd server. The sshd server spawns a child sshd process. This child inherits the connection socket and authenticates the client based on the selected authentication method. A successful secure client session is established only upon successful authentication. After a session is created, all subsequent communication occurs directly between the client and this child sshd process. The client can now execute remote commands on the server. Each command request from the ssh client causes the child sshd process to spawn a shell process to execute that command. In summary, a running ssh client-server session consists of the following processes: • • • 78 On every client system connected to the sshd server, there is one ssh client process for each ssh connection currently established from that client system. On the server system, there is one parent sshd process and as many child sshd processes as there are concurrent ssh clients connected to the server. The number of child sshd processes running on the server doubles if privilege separation is enabled on the server. See Section 4.6.4. On the server system, for each command execution request from a ssh client, the corresponding child sshd process spawns a shell process, and uses a UNIX pipe to communicate the command request to this shell process. This shell process returns the command execution results to the child sshd process using the UNIX pipe and terminates when the command execution is complete. Remote Access Security Administration 4.6.3.2 Running the sftp Client The sftp client application causes the sftp client process to spawn the ssh client, and then communicates with it using a UNIX pipe. The ssh client then establishes a socket connection with the sshd server. The rest of the server interaction is similar to the ssh client case described in Section 4.6.3.1. The difference is that instead of spawning a shell to execute the remote command, the child sshd process spawns the sftp-server process. All subsequent communication during this sftp session occurs among the following processes: • • • The sftp client and the ssh client, on the client system, using a UNIX pipe. The ssh client and the child sshd process, over the established connection socket. The child sshd process and the sftp server process, using a UNIX pipe. 4.6.3.3 Running the scp Client The scp client case is almost identical with the sftp client execution. The difference is that instead of spawning the sftp-server process, the child sshd process spawns the scp process. All subsequent communication during the scp session occurs among the following processes: • • • The scp client and the ssh client, on the client system using a UNIX pipe. The ssh client and the child sshd process, over the established connection socket. The child sshd process and the scp server process, using a UNIX pipe. 4.6.4 HP-UX Secure Shell Privilege Separation HP-UX Secure Shell offers a more enhanced level of security through the privileged separation feature. As described in Section 4.6.3, both the parent sshd and the child sshd processes run as privileged users. When privilege separation is enabled, one extra process is spawned per user connection. When an ssh client connects to an sshd server which is configured for privilege separation, the parent sshd process spawns a privileged child sshd process. When privilege separation is enabled, the child sshd process spawns an additional nonprivileged child sshd process. This nonprivileged child sshd process then inherits the connection socket. All subsequent communication between client and server occurs with this nonprivileged child sshd process. Most remote command execution requests from the client are nonprivileged, and are handled by a shell spawned under this nonprivileged child sshd process. When the nonprivileged child sshd process needs a privileged function to be executed, it communicates with its privileged parent sshd process using a UNIX pipe. Privilege separation helps contain potential damage from an intruder. For example, if a buffer overflow attack occurs during a shell command execution, control is within the nonprivileged process, thereby containing the potential security risk. 4.6 Securing Remote Sessions Using HP-UX Secure Shell (SSH) 79 NOTE: Privilege separation is the default configuration for HP-UX Secure Shell. You can turn off privilege separation by setting UsePrivilegeSeparation NO in the sshd_config file. Because of the potential security risk, turn off privilege separation only after careful consideration. 4.6.5 HP-UX Secure Shell Authentication HP-UX Secure Shell supports the following authentication methods: • • • • GSS-API (Kerberos-based client authentication) Public key authentication Host-based authentication Password authentication When a client connects with a remote sshd daemon, it selects the desired authentication method (one of the methods listed previously), and either presents the appropriate credentials as part of the connection request or responds to a prompt sent back by the server. All authentication methods work in this way. The server requires the appropriate key, pass phrase, password, or credentials from the client to establish a successful connection. You can choose to have the sshd instance support only a subset of the supported authentication methods based on security requirements. Although HP-UX Secure Shell supports the authentication methods listed previously, system administrators can limit the authentication methods offered by an sshd instance, based on the specific security requirements of their environment. For example, an HP-UX Secure Shell environment can dictate that all clients must authenticate using the public key or Kerberos methods. As a result, may disable the remaining methods. The enabling and disabling of supported authentication methods is through configuration directives specified in the sshd_config file. When an ssh client connection request is made, the server first responds with its list of supported authentication methods. This list represents the authentication methods supported by the sshd server and the sequence in which these methods will be tried. The client can omit one or more of those authentication methods. The client can also change the sequence in which the methods are attempted. You achieve this with a configuration directive in the client configuration file, /opt/ssh/etc/ssh_config. The authentication methods supported by HP-UX Secure Shell are summarized in the following sections. 4.6.5.1 GSS-API With the Generic Security Service application Programming Interface (GSS-API), a Kerberos-based client authentication, the client must obtain Kerberos credentials in advance, and also have a Kerberos configuration file present in the appropriate client 80 Remote Access Security Administration directory. When a client connects with an sshd daemon, it presents its credentials at connection time. The server matches these credentials with its copy of credentials for this specific user. Also, the server can optionally establish the legitimacy of the client's host environment. For more information, see gssapi(5), kerberos(9) and the HP-UX Kerberos Data Security documentation: www.hp.com/go/hpux-security-docs Click HP-UX Kerberos Data Security Software. 4.6.5.2 Public Key Authentication For public key authentication, the Secure Shell environment must have the following setup: • Both the client and server must have a key pair. Every ssh client and every sshd server must generate a key pair for themselves using the ssh-keygen utility. • The client must make its public key known to all sshd servers it needs to communicate with. Do this by copying every client's public key into a predetermined directory on every relevant server. • The client must acquire the public key for every server it needs to communicate with. The client acquires the public keys using the ssh-keyscan utility. After this setup is completed, ssh clients connecting to sshd servers are authenticated using public and private keys. For more information on public key cryptography, see public key cryptography. HP-UX Secure Shell offers an additional feature for streamlining public key authentication. For some environments, you might want the convenience of not having to respond to password prompts all the time. You can eliminate the need to respond to password prompts by using a combination of the ssh-agent and ssh-add processes, both running on the client machine. The client registers all its key information with the ssh-agent process through the ssh-add utility. Then, public key authentication between client and server is facilitated by ssh-agent without the sshd daemon having to interact with the client. 4.6.5.3 Host-Based and Public Key Authentication Host-based and public key authentication is a more secure extension of the public key authentication method. In addition to having key pairs for both client and server, this method enables client environments to restrict the servers that they will communicate with. Implement this restriction by creating a .rhosts file in the client's home directory. 4.6.5.4 Password Authentication The password authentication method relies on the existence of a single user ID and password-based login. This login could be based on the user's login specified in /etc/ passwd, or it could be PAM-based. 4.6 Securing Remote Sessions Using HP-UX Secure Shell (SSH) 81 HP-UX Secure Shell is fully integrated with PAM modules available on the server system. For this purpose, the /opt/ssh/etc/sshd_config file carries a UsePAM configuration directive. If set to YES, any password authentication request from the client causes sshd to look at the PAM configuration file (/etc/pam.conf). Password authentication is then done through the configured PAM modules, in sequence, until successful. For more information on PAM authentication, see pam.conf(4). Set the UsePAM directive to NO to ignore PAM authentication. Then any password authentication request from the client causes sshd to ignore PAM configuration settings on the server. Instead, sshd obtains user password information by directly calling the getpwnam library call HP-UX Secure Shell has been tested with PAM_UNIX, PAM_LDAP and PAM_KERBEROS. It is also expected to work with other PAM modules, such as PAM_DCE and PAM_NTLM. 4.6.6 Communication Protocols HP-UX Secure Shell users can connect with a remote sshd daemon using the SSH-1 or SSH-2 protocol. SSH-2 is more secure, and is strongly recommended instead of SSH-1. 4.6.7 HP-UX Secure Shell and the HP-UX System HP-UX Secure Shell is actually not a true shell. It is a mechanism for creating a secure connection between a client and a remote host to execute remote shell sessions securely on the host. To achieve the secure connection, HP-UX Secure Shell does most of the authentication and session creation itself. Following is a partial list of features that HP-UX Secure Shell uses: • Logging of login attempts Like telnet or remsh, HP-UX Secure Shell logs successful and unsuccessful sessions in the /var/adm/wtmp and /var/adm/btmp files, respectively. For more information, see utmp(4). • PAM modules As described in Section 4.6.5, HP-UX Secure Shell can use PAM authentication for client sessions. When PAM authentication is selected, HP-UX Secure Shell uses the /etc/pam.conf file and invokes the appropriate PAM module for authentication. See pam.conf(4) for more information about the /etc/pam.conf file. • Use of /etc/default/security file This is a systemwide configuration file that contains attributes defining the behavior of login, passwords, and other security configurations. HP-UX Secure Shell allows use of these attributes with some restrictions, which are explained in the /opt/ssh/ README.hp file for HP-UX Secure Shell. More information on the /etc/default/security file is in security(4). 82 Remote Access Security Administration • Shadow passwords HP-UX Secure Shell is integrated with the HP-UX shadow password feature. For more information, see shadow(4). • Control system log (syslog) HP-UX Secure Shell uses syslog to write important messages. For more information, see syslog(3C) and syslogd(1M). • Audit logging HP-UX Secure Shell has implemented audit logging (in trusted mode) in its own code. For more information, see audit(5). 4.6.8 Associated Technologies HP-UX Secure Shell has been tested with the following technologies: • • • • • • Kerberos 5 and GSS-API OpenSSL IPv6 TCP Wrappers PAM (PAM_UNIX, PAM_Kerberos, PAM_LDAP) HP-UX Strong Random Number Generator 4.6.9 Strong Random Number Generator Requirement As with all cryptographic key-based products, HP-UX Secure Shell requires a random number generator. It looks for the HP-UX Strong Random Number Generator special device files, /dev/urandom and /dev/random, and uses the first special device file it locates. If these two files do not exist on the system, HP-UX Secure Shell uses its own internal random number generator, ssh-rand-helper. The HP-UX Strong Random Number Generator improves the performance and entropy (a measure of the randomness and therefore the security of generated keys) of HP-UX Secure Shell. It generates nonreproducible, true random numbers. The use of the HP-UX Strong Random Number Generator is highly recommended with HP-UX Secure Shell. The HP-UX Strong Random Number Generator is available by default. For more information, see random(7). 4.6.10 TCP Wrappers Support The HP-UX Secure Shell daemon, sshd, is linked with the archive library, libwrap.a, to support TCP Wrappers. See also Section 4.3. 4.6 Securing Remote Sessions Using HP-UX Secure Shell (SSH) 83 4.6.11 chroot Directory Jail chroot is a directory jail. It starts up an application in a specified directory and restricts users to accessing that directory and the directories below it. It prevents users from changing directories above that specified directory. It is intended to restrict file and directory access to users of that application while they are using the application. You must enable chroot for an application. You must create new directories and copy the relevant set of files into those newly created directories. You can optionally set up ssh, scp, and sftp with a chroot directory. The HP-UX Secure Shell README file in /opt/ssh/README.hp explains the chroot feature, the chroot setup script, and the specific files that this script copies to enable ssh, sftp, and scp for a chroot environment. Refer also to chroot(1M). The chroot setup script is in the /opt/ssh/utils/ssh_chroot_setup.sh file, which is part of the HP-UX Secure Shell software product (Secure Shell 4.30.004/005). 84 Remote Access Security Administration Part II Protecting Data HP-UX 11i offers data protection in many forms: protecting data in transit, in use, and at rest. By using security features designed to protect data in its three forms, HP-UX 11i customers can minimize possible breaches not only in terms of data loss, but in customer trust as well. This • • • section describes the following topics: File system security (Chapter 5) Compartments (Chapter 6) Fine-grained privileges (Chapter 7) 85 86 5 File System Security This chapter explains file system security. Before you read this chapter, you should have a basic understanding of files and file systems. Because data is stored in files, it is important to understand how to protect them. This chapter discusses the following topics: • Controlling file access (Section 5.1) • Setting access control lists (Section 5.2) • Using HFS ACLs (Section 5.3) • Using JFS ACLs (Section 5.4) • Comparison of JFS and HFS ACLs (Section 5.5) • ACLs and NFS (Section 5.6) • Security considerations for /dev devices special files (Section 5.7) • Protecting disk partitions and logical volumes (Section 5.8) • Security guidelines for mounting and unmounting file systems (Section 5.9) • Controlling file security on a network (Section 5.10) 5.1 Controlling File Access Working groups, file permissions, file ownership, and compartment rules determine who can access a given file. The simplest of the file access rules are standard UNIX file permissions. You can divide users into groups so that files owned by the group can be shared within the group and can be protected from outsiders. The traditional UNIX file permissions are displayed using the ls command with the -l flag. The permissions indicate what kind of access (that is, the ability to read, write, and execute) is granted to the owner and groups on your system. Traditional UNIX file protections allow some control over who can access your files and directories, but they do not allow you to define access for individual users and groups beyond the owning user and the owning group. The following is a brief review of UNIX file permissions. Each file and each directory has nine permissions associated with it. Files and directories have the following three types of permissions: • r (read) • w (write) • x (execute) These three permissions occur for each of the following three classes of users: • u (user/owner) • g (group) • o (all others; also known as world) 5.1 Controlling File Access 87 The r permission allows users to view or print the file. The w permission allows users to write (modify) the file. The x permission allows users to execute (run) the file or to search directories. Figure 5-1 shows the traditional permissions fields. Figure 5-1 File and Directory Permission Fields permission owner group others rwx rwx rwx r read w write x execute The user/owner of a file or directory is generally the person who created it. If you are the owner of a file, you can change the file permissions with the chmod command. The group specifies the group to which the file belongs. If you are the owner of a file, you can change the group ID of the file with the chgrp command. The meanings of the three types of permissions differ slightly between ordinary files and directories. See Table 5-1 for more information. Table 5-1 Differences Between File and Directory Privileges Permission File Directory r (read) Contents can be viewed or printed. Contents can be read, but not searched. Normally r and x are used together. w (write) Contents can be changed or deleted. Entries can be added or removed. x (execute) File can be used as a program. Directory can be searched. 5.1.1 Setting File Access Permissions The chmod command changes the type of access (read, write, and execute privileges) for the file's owner, group members, or all others. Only the owner of a file or a user with the appropriate privileges can change file access. See chmod(1). 88 File System Security By default, the initial set of read and write permissions for files and directories are determined by the creator's umask value. To change the default file permissions, use the umask command. See umask(1). Each bit that is set in the file mode creation mask causes the corresponding permission bit in the file mode to be cleared (disabled). Conversely, bits that are clear in the mask allow the corresponding file mode bits to be enabled in newly created files. For example, a umask of octal 022 creates a mask of u=rwx, g=rx, o=rx, which disables group and other write permissions. 5.1.2 Setting File Ownership The chown command changes file ownership. To change the owner, you must own the file or have the appropriate privileges. The chgrp command changes file group ownership. To change the group, you must own the file or have the appropriate privileges. For more information, see chown(1) and chgrp(1). 5.1.3 Protecting Directories Normally, if a directory is writable either through standard permissions or through ACLs, anyone can remove the files in the directory, regardless of the permissions on the files themselves. To protect against unwanted file deletions in a directory: • Remove write permissions for directories that should not have them. This is particularly effective for users' private directories. The following command allows others to read and search the mydir directory, but only the owner can delete files from it: # chmod 755 mydir See chmod(1) and chmod(2). • • Set the sticky bit on the directory. The sticky bit is a special bit in the mode of every file. Setting the sticky bit prevents users from removing other users' files from that directory. Setting the sticky bit for a directory allows only the owner of the file, the owner of the directory, or a user with the appropriate privileges to delete or to rename the files. This is effective for temporary or project directories (such as /tmp and /var/tmp) that must be accessible to many authorized users. The following command allows anyone to create, read, and write files in /mfgproj, but only the file owner, the directory owner, or a user with the appropriate privileges can delete files: # chmod a+rwxt /mfgproj Setting the sticky bit is important for directories that are used for temporary files. In the event that a temporary directory is not set to sticky, an attacker may alter the expected behavior of user programs by waiting for a temporary file to be created 5.1 Controlling File Access 89 and then deleting and recreating a new file with modified content, but the same name. In most cases, the application is unaware of the change and may unintentionally perform malicious acts on behalf of the attacker. 5.1.4 Protecting Files Related to User Accounts Follow these guidelines to protect files related to user accounts: • • • • A home directory should not be writable by anyone except for the owner. Otherwise, any user can add and remove files from the directory. The .profile, .kshrc, .login, and .cshrc files for each user should not be writable by anyone other than the account owner. A user's .rhosts file should not be readable or writable by anybody other than the owner. This precaution prevents users from guessing what other accounts you have, and prevents anyone from editing your .rhosts file to gain access to those systems. For more information, see hosts.equiv(4). Do not use a .netrc file, because it bypasses login authentication for remote login and even contains the user's unencrypted password. If used, .netrc must not be readable or writable by anyone other than its owner. For more information, see netrc(4). 5.1.5 Locating and Correcting File Corruption Using fsck The • • • • • • following problems can indicate a corrupt file system: A file contains incorrect data (garbage). A file has been truncated or is missing data. Files disappear or change locations unexpectedly. Error messages appear on a user's terminal, the system console, or in the system log. You are not able to change directories or list files. The system fails to reboot. If you or other users cannot readily identify problems with the file system, use the fsck command to check the file system. The fsck command is the primary tool for finding and correcting file system inconsistencies. The fsck command examines the file system listed in /etc/fstab. The fsck utility is not capable of detecting file corruption. If fsck does not find any errors, the problem is likely not a corrupted file system. That is, the file system is usable, even if the underlying data is lost or corrupted. Look for one or more of these other file problems: • • 90 A user, program, or application deleted, overwrote, moved, or truncated the file or files. The file system associated with a particular directory when the file was created might not be mounted to that directory. File System Security • • A file or files were placed in a directory that now has a file system mounted to it. The files still exist but are not accessible. Unmount the file system to access the files. The file protection or ownership is preventing access. Use the chmod or chown command to change file permissions. 5.2 Setting Access Control Lists Access control lists (ACLs) offer a finer degree of file protection than traditional file access permissions. Use ACLs to allow or restrict file access to individual users unrelated to the group they belong to. Only the owner of a file, or a user with the appropriate privileges can create ACLs. Both the Journaled File System (JFS) and High-Performance File System (HFS) support ACLs but they use different mechanisms and syntax. JFS is the HP-UX implementation of the Veritas journaled file system (VxFS). HFS is the HP-UX version of the UNIX File System (UFS) and is compatible with earlier versions of HP-UX. An access control list (ACL) is a set of user, group, and mode entries associated with a file. The list specifies permissions for all possible user ID and group ID combinations. Access control lists give you a more precise way to control access to files than you have with traditional UNIX file permissions. ACLs enable you to grant or restrict file access in terms of individual users and specific groups, in addition to the traditional control. Both HFS and JFS file systems support ACLs, but they use different mechanisms and use different syntax. NOTE: HFS is now deprecated. It will be removed from the operating system in a future release. HP-UX supports two separate JFS products: the basic JFS product, which is included in the operating system, and the optional advanced product, OnLineJFS, which is installed separately. Both JFS products support ACLs. For more information, see setacl(1), getacl(1), aclv(5), chacl(1), lsacl(1), and acl(5). 5.3 Using HFS ACLs You set HFS ACL permissions with the chacl command and display them with the lsacl command. See Example 5-1. 5.2 Setting Access Control Lists 91 IMPORTANT: You must use chmod with the -A option when working with files that have HFS ACL permissions assigned. Without the -A option, chmod will delete the ACL permissions from the file. The syntax is: # chmod -A mode file The chacl command is a superset of the chmod command. Any specific permissions you assign with the chacl command are added to the more general permissions assigned with the chmod command. When a file has ACLs, the ll command displays a plus sign (+) after the permission string. If a user.group matches more than one HFS ACL entry, the more specific entry takes precedence. See Example 5-2. 92 File System Security Example 5-1 Creating an HFS ACL In this example, the chmod command restricts write permissions for myfile to only the user, allan. The chmod command also deletes any previous HFS ACLs. $ chmod 644 myfile $ ll myfile -rw-r--r-1 allan users 0 Sep 21 16:56 myfile $ lsacl myfile (allan.%,rw-)(%.users,r--)(%.%,r--) myfile The lsacl command displays just the default (no ACL) values, corresponding to the basic owner, group, and other permissions. The chacl command gives read and write access to myfile to another user. $ chacl 'naomi.users=rw' myfile $ ll myfile -rw-r--r--+ 1 allan users 0 Sep 21 16:56 myfile $ lsacl myfile (naomi.users,rw-)(allan.%,rw-)(%.users,r--)(%.%,r--) myfile Notice two things: the ll permissions display has a + appended, indicating that ACLs exist and that the ll permissions string did not change. The additional entry in the lsacl display specifies that user naomi in group users has read and write access to myfile. Example 5-2 Multiple HFS ACL Matches If a user's user.group combination matches more than one ACL entry, the most specific entry takes precedence. In this example, first set the file permissions. $ chmod 644 myfile Use the chacl command on myfile to add a write-only entry for user naomi: $ chacl naomi.%=w myfile $ lsacl myfile (naomi.%,-w-)(allan.%,rw-)(%.users,r--)(%.%,r--) myfile Now, user naomi has write access to file myfile, using the ACL defined for naomi.%, but does not have read access to the file because naomi.% takes precedence over the ACLs defined for %.users and %.%. The lsaclcommand displays the HFS ACLs in decreasing order of specificity. That is, permission matches are attempted from left to right. 5.3.1 HFS ACLs and HP-UX Commands and Calls The following commands and system calls work with ACLs on HFS file systems: 5.3 Using HFS ACLs 93 Table 5-2 HFS ACL Commands Commands Description chacl Changes HFS ACLs of files. getaccess Lists user's access rights to files. lsacl Lists HFS ACLs of files. Table 5-3 HFS ACL System Calls System Call Description getaccess Gets a user's effective access rights to a file. getacl, fgetacl Gets HFS ACL information. setacl, fsetacl Sets HFS ACL information. acltostr Converts HFS ACL structure to string form. chownacl Changes the owner or group represented in an HFS file's ACL. cpacl, fcpacl Copies HFS ACL and mode bits from one file to another. setaclentry, fsetaclentry Adds, modifies, or deletes an HFS file's ACL entry. strtoacl Parses and converts HFS ACL structure to string form. strtoaclpatt Parses and converts HFS ACL pattern strings to arrays. The following commands, system calls, and subroutine libraries affect ACL entries, sometimes in unexpected ways. Table 5-4 Commands and Calls Affecting ACL Entries 94 Command or Call Description chmod Deletes HFS ACLs by default. Use the -A option to retain HFS ACLs. chmod Deletes HFS ACL entries. Use getacl and setacl to save and restore the HFS ACL entries. cpset Does not set a file's optional ACL entries. find Identifies files whose ACL entries match or include specific ACL patterns on HFS or JFS file systems. ls -l The long form indicates the existence of ACLs by displaying a plus sign (+) after the file's permission bits. File System Security Table 5-4 Commands and Calls Affecting ACL Entries (continued) Command or Call Description mailx Does not support optional ACL entries on /var/ mail/* files. compact, compress, cp, ed, pack, unpack Copies ACL entries to the new files they create. frecover, fbackup Use only these commands to selectively recover and back up files. Use the -A option when backing up from an ACL system for recovery on a system that does not support ACLs. ar, cpio, ftio, shar, tar, dump, restore These commands do not retain ACLs when archiving and restoring. They use the st_mode value returned by stat. rcs, sccs These commands do not support ACLs. HFS access control lists use additional “continuation inodes” when creating new file systems. Consider them when using the following commands: • • • fsck: Returns the number of files with ACL entries as a value for icont. Use the -p option to clear unreferenced continuation inodes. See fsck(1M). diskusg, ncheck: Ignores continuation inodes. See diskusg(1M) and ncheck(1M). mkfs: Allows for continuation inodes on new disks. See mkfs(1M). 5.4 Using JFS ACLs This section describes JFS ACLs and how to use them. NOTE: To use JFS ACLs, you must have a VxFS file system using disk layout Version 4. See vxupgrade(1M) for information about upgrading the file system to Version 4. 5.4.1 Definition of a JFS ACL A JFS ACL contains one-line entries naming specific users and groups and indicating what access is granted to each. The presence of a JFS ACL also changes the meaning of the group permission bits, which are displayed using the ls -l command. A JFS ACL always has at least four entries: a user entry, a group entry, a class entry, and an other entry. When a JFS ACL contains only these four entries, the permissions it grants are exactly the same as the permissions represented by the standard UNIX system permission bits. 5.4.2 How the System Generates a JFS ACL Whenever a file is created on a JFS file system, the system initializes a minimal JFS ACL for the file, containing a user entry for the owner permissions, a group entry for the owning group permissions, a class entry for the owning group permissions, and an 5.4 Using JFS ACLs 95 other entry for the other group permissions. Additional entries can be added by the user, or as a result of default entries specified on the parent directory. 5.4.3 Minimal JFS ACL An ACL with the four basic entries defined previously is called a minimal JFS ACL. An example minimal ACL looks like this: user::rwgroup::r-class:r-other:--- • • • The user entry indicates the permissions of the owner of the file and maps directly to the owner permission bits. Because the first entry applies to the owner of the file, no user name needs to be indicated. This example ACL entry grants read and write access to the file's owner. The group and class entries specify the permission granted to members of the file's owning group. The example ACL entry grants read-only access to the file's owning group. The group and class entries are described more in Section 5.4.5. The other entry is a catch-all entry that specifies permissions for anyone who is not granted or denied permission by any other entry. The example other entry denies access to all users who are not the owner of the file nor in the file's owning group. The permission bits displayed by ls -l for this file would look like this: rw-r----- The next section describes how additional JFS ACL entries affect file access and the interpretation of the permission bits. 5.4.4 Additional JFS ACL user and group Entries If you want to grant or deny access to specific users and groups on the system, you can add up to 13 more user and group entries to the four minimal entries described in the previous section. For example, the following entry in the ACL of a file grants read, write, and execute access to a user logged in as boss: user:boss:rwx In the next example, an ACL with the following entry denies access to a user in the group spies: group:spies:--- 5.4.5 JFS ACL group and class Entries In a file with a minimal ACL, the owning group and class ACL entries are identical. However, in a file with additional entries, the owning group and class ACL entries 96 File System Security are distinct. The owning group entry grants permissions to a specific group: the owning group. The class entry is more general; it specifies the maximum permissions that can be granted by any of the additional user and group entries. If a particular permission is not granted in the class entry, it cannot be granted by any ACL entries except for the first user (owner) entry and the other entry. Any permission can be denied to a particular user or group. The class entry functions as an upper bound for file permissions. When an ACL contains more than one group or user entry, the additional user and group entries are referred to as the group class entries, because the effective permission granted by any of these additional entries is limited by the class entry. 5.4.6 Using the setacl and getacl Commands Use the setacl and getacl commands to change and view ACLs. Use the setacl command to change the ACL in one of the following ways: • Replace a file's entire ACL, including the default ACL on a directory. • Add, modify, or delete one or more entries, including default entries on directories. The getacl command displays the entries in the ACL. File permission bits for user and group are translated into special cases of these entries: • The bits representing owner permissions are represented by a user entry without a specified user ID. • The bits representing group permissions are represented by a group entry without a specified group ID. An ACL must contain one each of these special user and group entries. The ACL can have any number of additional user entries and group entries, but these must all contain a user ID or group ID, respectively. An ACL has only one other entry, representing the permission bits for permissions to be granted to other users. See setacl(1) and getacl(1) for command descriptions. 5.4.7 Effect of chmod on class Entries When a file has a minimal ACL, the owning group and class ACL entries are identical, and chmod affects both of them. However, when a file contains additional, optional entries in the ACL, the following consequences occur: • The class ACL entry no longer necessarily equals the owning group ACL entry. • The chmod command affects the class ACL entry, not the owning group entry. • You must use the setacl command to change the owning group entry. 5.4 Using JFS ACLs 97 5.4.8 Example of Changing a Minimal JFS ACL To illustrate the function of the JFS ACL class entry, this section describes how chmod and setacl affect a file with a minimal JFS ACL and a file with group class entries. NOTE: Further details about the use of the getacl and setacl commands are in Section 5.4.10. Refer also to getacl(1) and setacl(1). Consider a file, exfile, with read-only (444) permissions and a minimal JFS ACL. The ls -l command shows the permissions for exfile: $ ls -l exfile -r--r--r-- 1 jsmith users 12 Sep 20 15:02 exfile The getacl command lists the following output for exfile, which is a minimal JFS ACL: $ getacl exfile # file: exfile # owner: jsmith # group: users user::r-group::r-class:r-other:r-- Using the chmod command to add write permissions to exfile changes both the owning group and the class ACL entries. For example, look at the getacl command output: $ chmod 666 exfile $ getacl exfile # file: exfile # owner: jsmith # group: users user::rwgroup::rwclass:rwother:rw- Now add additional user and group entries, that will affect the class ACL entry but not the owning group entry. The first setacl command that follows grants read-only permission to user guest; the other ACL entries are unaffected. However, the second setacl command grants read-execute permissions to the group dev, and the upper bound on permissions (the class entry) is extended to include execute permission. $ setacl -m u:guest:r-- exfile $ setacl -m g:dev:r-x exfile $ getacl exfile# file: exfile # owner: jsmith # group: users user::rwuser:guest:r-group::rw98 File System Security group:dev:r-x class:rwx other:rw- Next, the chmod command removes write and execute permission from group, and actually reduces the class permissions to read-only. The owning group permissions, while unchanged, are effectively reduced to read-only as well. $ chmod g-wx exfile $ getacl exfile # file: exfile # owner: jsmith # group: users user::rwuser:guest:r-group::rw# effective:r-group:dev:r-x # effective:r-class:r-other:rw- The other permissions are unchanged. The class entry does not limit the access that can be granted by the first user (owner) entry or the other entry. Next the ls -l command lists the permissions of exfile. The plus sign (+) at the end of the permissions string indicates that there is an ACL for the file. $ ls -l exfile -rw-r--rw-+ 1 jsmith users 12 Sep 20 15:02 exfile 5.4.9 Default JFS ACLs You might want all the files created in a directory to have certain ACL entries. For example, you can allow another person to write to any file in a directory of yours when the two of you are working on something together. You can put an ACL entry granting the desired access on every file in the directory, but every time you create a new file, you have to add that entry again. Using default ACL entries, you can get the system to do this for you automatically every time you create a file. A default ACL entry appears as follows: default:user:boss:rw- Default ACLs can only be placed only on a directory and have no influence on what access to the directory is granted to a user. The default ACL is applied to files created in the directory. When the newly created file is a directory, the default ACL entries have two effects: • The corresponding nondefault ACL entries are created, so that the desired permissions are granted and denied for the directory, just as for any file created in the directory. • The default entries themselves are copied, so that the new subdirectory has the same default ACL as the parent directory. 5.4 Using JFS ACLs 99 For example, if you want any files created in the directory projectdir to be readable by certain users, you can create the appropriate default entries, as follows: $ setacl -m d:u:boss:r,d:u:jjones:r,d:u:dev:r projectdir $ getacl projectdir # file: projectdir # owner: jsmith # group: users user::rwuser:boss:rwuser:jjones:rwuser:jdoe:--group::rwgroup:dev:rwclass:rwother:--default:user:boss:r--default:user:jjones:r-default:group:dev:r-- If the newly created file is a directory, the same ACL entries are generated. In addition, the default entries themselves are also placed in the ACL. With these entries in place, any new file created in the directory projectdir will have an ACL like that shown previously without the default entries. 5.4.10 Changing JFS ACL with the setacl Command This section presents more examples of using the setacl command. 5.4.10.1 Using the Modify and Delete Options The following setacl command uses the -m (modify) option to give read-only access to the user boss for the junk file: $ setacl -m u:boss:r-- junk To grant read and write access to everyone in the group dev, use the group (g:) parameter with the setacl -m command: $ setacl -m g:dev:rw- junk The -d option deletes an entry. With -d, do not specify any permissions in the ACL entry. For example, the following command deletes the entry for the group dev: $ setacl -d g:dev junk 5.4.10.2 Using the -f Option If you are adding or changing several entries, you can use a different procedure. You can save the ACL to a file, edit the file, and then apply this new ACL to the file. For example, save the ACL to a file with this command: $ getacl junk > junk.acl 100 File System Security Edit the file so that it appears as follows: $ cat junk.acl # file: junk # owner: user1 # group: group1 user::rwuser:user2:rwuser:user3:rwuser:user4:--user:user5:r-group::rwgroup:group2:rwgroup:group3:r-group:group4:--group:group5:rwclass:rwother:r-- Apply the ACL to the file using the setacl -f command: $ setacl -f junk.acl junk 5.4.10.3 Effective Permissions and setacl -n Normally, setacl recalculates the class entry to ensure that permissions granted in the additional ACL entries are granted. If you specify the -n option, the class entry is not recalculated; the existing value is used. This means that some permissions granted by the ACL entries will not be granted in practice. For example, this ACL is modified with the setacl -n command to add read and execute permissions to group dev as follows: $ getacl exfile # file: exfile # owner: jsmith # group: users user::rwgroup::rwclass:rwother:rw$ setacl -n -m group:dev:r-x exfile $ getacl exfile # file: exfile # owner: jsmith # group: users user::rwgroup::rwgroup:dev:r-x #effective r-class:rwother:rw- The group dev ACL entry is added as specified, but execute permission is not actually granted. Execute permission is denied by the class entry, and the class entry was 5.4 Using JFS ACLs 101 not recalculated because -n was specified. If -n was not used, class would have been reset to class:rwx, and the effective comment would not be there. 5.5 Comparison of JFS and HFS ACLs JFS ACLs adhere to the POSIX ACL standard. JFS ACLs differ from HFS ACLs in both format (internal and external) and functionality. Functional differences between JFS and HFS ACLs include the following: • A JFS directory's ACL can have default entries, which are applied to files subsequently created in that directory. HFS ACLs do not have this capability. • An HFS ACL has an owner that can be different from the owner of the file the ACL controls. JFS ACLs are owned by the owner of the corresponding file. • An HFS ACL can have different entries for a particular user in specific groups. For example, userx might have read and write access as a member of group users, but have only read access as a member of group other. 5.5.1 JFS and HFS Command and Function Mapping Table 5-5 lists the manpages for the equivalent commands and functions for JFS ACLs and HFS ACLs. Table 5-5 HFS and JFS ACL Equivalents HFS Name JFS Equivalent chacl(1) setacl(1) lsacl(1) getacl(1) getacl(2) acl(2) fgetacl(2) —none— setacl(2) acl(2) fsetacl(2) —none— acltostr(3C) —none— chownacl(3C) —none— cpacl(3C) —none— setaclentry(3C) —none— strtoacl(3C) —none— —none— aclsort(3C) acl(5) aclv(5) 102 File System Security 5.6 ACLs and NFS The Network File System (NFS) has no facility to pass ACL information about remote files. Therefore, ACLs are not visible on remote files by NFS. The ls -l command will not show that ACLs exist on a remote file, but the ACL control over access permissions remains effective. Individual manpage entries specify the behavior of the various system calls, library calls, and commands under these circumstances. IMPORTANT: Use caution when transferring a file with optional entries over a network, or when manipulating a remote file, because NFS can delete optional entries with no notification. 5.7 Security Considerations for /dev Device Special Files Access to all devices in the system is controlled by device special files, which enable programs to be device independent. These files are shipped with permission settings that enable proper use and maximum security. If you install any other device special files, see insf(1M) for information about correct permission settings. Because device special files can be as vulnerable to tampering as any other file, observe the following precautions: • • Keep all device special files in the /dev directory. Protect the memory files, /dev/mem and /dev/kmem, from casual access, because these files contain sensitive user information. For example, a program that watches memory for an invocation of the login program might copy the password from the login program buffers when a user types it in. The file protections should be set to: crw-r----crw-r----- • 1 bin 1 bin sys sys 3 0x000001 Jun 3 0x000000 Jun 9 9 2006 /dev/kmem 2006 /dev/mem Protect all disk special files: — Write protect all disk special files from general users to prevent inadvertent data corruption. Turn off write access for group and other. — Read protect disk special files to prevent disclosure. Turn off read access for other. The file protections should be set to: brw-r----crw-r----brw-r----crw-r----- • 1 1 1 1 bin bin root root sys sys sys sys 31 188 64 64 0x002000 0x002000 0x000002 0x000002 Feb 18 Aug 3 Jun 11 Jun 11 2004 2004 2006 2006 /dev/dsk/c0t2d0 /dev/rdsk/c0t2d0 /dev/vg00/lvol2 /dev/vg00/rlvol2 Terminal ports on HP-UX systems are writable by anyone if you allow users to communicate by using the write or talk programs. Permit only the owner to have read permission. 5.6 ACLs and NFS 103 • • Do not permit individual users to own a device special file other than for a terminal device or personal printer. Before putting a disk or other mountable device of unknown origin into service, check its files for device special files and setuid programs. See Section 5.9. 5.8 Protecting Disk Partitions and Logical Volumes A Logical Volume Manager (LVM) is a common disk management tool. LVM divides up the disk more easily than disk partitions, and the volumes can span multiple disks. Volumes are logical devices that appear as a physical disk partition. You can use a volume as a virtual disk partition for such applications as creating a file system or a database. Following are some security considerations regarding disk partitions and logical volumes: • • Ensure that the device special files for disk partitions and logical volumes are readable only by root and perhaps by an account used for disk backups. See Section 5.7. Because ownership and permissions are stored in the inode, anyone with write permission to a mounted partition can set the user ID for any file in that partition. The file is subject to change regardless of the owner, bypassing the chmod system call and other security checks. If the device special file is writable, a user can open that file and access the raw disk. The user can then directly edit the file system, read files, or change file permissions and owners. Make sure the file permissions forbid access to the device special file and allow only root to read. • If a program, such as a database application, requires direct access to the partition, reserve that partition exclusively for the program. Do not mount a partition as a file system if users can access the partition directly. If you do mount a partition as a file system, users could edit the underlying file system. Inform program users that the file's security is enforced by its permission settings rather than by the HP-UX file system. 5.9 Security Guidelines for Mounting and Unmounting File Systems The mount command enables you to attach removable file systems and disk or disk partitions to an existing file tree. The mount command uses a file called /etc/fstab, which contains a list of available file systems and their corresponding mount points. Make the /etc/fstab file writable only by root, but readable by others. For more information on mounting file systems, see fstab(4). 104 File System Security Observe the following precautions when mounting a file system or disk: • Create a mount point directory (such as /mnt) on which to mount a new file system. Never mount a file system on a directory that already contains files, because those files will become inaccessible. The mount point of a mounted file system acquires the permissions and ownership of the file system's root directory. • • • Set permissions and access control list entries on disk path names to control access to disks. Use the -r option of the mount command to mount the file system as read-only. You must mount physically write-protected file systems this way. When mounting a new or foreign file system, assume that the medium is insecure. — Make sure that the PATH environment variable does not include “.” (the current directory); otherwise, you might run a Trojan horse version of ls or some similar command while examining the new file system. — Run the fsck command to verify that the file system is not technically corrupted. See fsck(1M). — Run the ncheck_hfs -s or ncheck_vxfs -s command to scan for setuid and setgid programs and device files, and investigate any suspicious findings. The -s option is intended to discover concealed violations of security policy. For more information, see ncheck_hfs(1M) and ncheck_vxfs(1M). — Create a directory restricted to root by setting its permissions at 700 (drwx------). # mkdir /securefile # chmod 700 /securefile — Mount the foreign file system read-only at that location: # mount -r /dev/disk1 /securefile — Check all directories for privileged programs, and verify the identity of every program. — Remount the system read and write permissions and remove any unnecessary setuid and setgid permissions from files that you discovered in the previous step. These precautions are especially important if a user requests that you mount a personal file system. Only after performing these tests should you unmount the file system and remount it in its desired location. • Be sure to unmount all mounted file systems of a user whose account you are disabling or removing. For information on files mounted in an NFS environment, see Section 5.10.2. 5.9 Security Guidelines for Mounting and Unmounting File Systems 105 5.10 Controlling File Security on a Network From the perspective of security, networked systems are more vulnerable than standalone systems. Networking increases system accessibility, but also adds greater risk of security violations. Although you cannot completely control security over the network, you can control the security of each node on the network to limit penetration risk without reducing the usefulness of the system or user productivity. Ensure that all network administration programs are owned by a protected, network-specific account, such as uucp, nso, or daemon, rather than by root. 5.10.1 Check Permission Settings on Network Control Files Modes, owners, and groups on all system files are set carefully. Check these files regularly for any changes. Note and correct any changes from the original values. Pay particular attention to the network control files in the /etc directory. These files are of notable interest to those attempting to gain unauthorized access, because they provide access to the network itself. Network control files should never be writable by the public. These files include: exports List of file systems being exported to NFS clients hosts Network hosts and their addresses hosts.equiv Remote hosts allowed access equivalent to the local host inetd.conf Internet configuration file netgroup List of networkwide groups networks Network names and their addresses protocols Protocol name database services Services name database 5.10.2 Files Mounted in an NFS Environment A Network File System (NFS) provides the following conveniences: • • • Saves file space. Maintains consistent file usage. Provides a lean cooperative user environment. NFS streamlines filesharing between server and client systems by controlling access via the /etc/exports file. Entries in /etc/exports provide permission to mount a file system existing on the server onto any client machine or specified list of machines. When a file system is put into /etc/exports, the information is available to anyone who can do an NFS mount. Thus, the NFS client user can access a server file system without having logged in to the server system. See exports(4) for information on controlling access to exported file systems and see Section 5.10.2.3 for security guidelines. 106 File System Security 5.10.2.1 Server Vulnerability Maintain server security by setting restrictive permissions on the /etc/exports file. Root privileges are not maintained across NFS. Thus, having root privileges on a client system does not provide you with special access to the server. The server performs the same permission checking remotely for the client as it does locally for its own users. The server side controls access by the client to server files by comparing the user ID and group ID of the client, which it receives via the network, with the user ID and group ID of the server file. Checking occurs within the kernel. A user with privileges on an NFS client can exploit that privilege to obtain unlimited access to an NFS server. NOTE: Never export any file system to a node on which privilege is granted more leniently than in your own node's policy. 5.10.2.2 Client Vulnerability In earlier releases of NFS for workstations, the /dev inode had to reside on the client's disk. NFS now allows the /dev inode containing the major and minor numbers of a client-mounted device special file to exist on the server side. This opens the possibility for someone to create a Trojan horse that overrides permissions set on the client's mounted device special file, by accessing the device special file through the file and inode number found on the server side. Although lacking permission to make a device special file on the client side, a system violator can create a device special file, such as /dev/kmem, using root permissions on the server side. The new /dev file is created with the same major and minor number as that of the target device on client side, but with the following permissions: crw-rw-rw- The violator can then go to the client, log in as an ordinary user, and, using NFS, open up the newly created server-side device special file and use it for devious means. 5.10.2.3 How to Safeguard NFS-Mounted Files Following are suggestions to safeguard NFS-mounted files: • • • • • • If possible, make sure that the same person administers both client and server systems. Maintain uniformity of user ID and group ID for server and client systems. Routinely check the /dev files in the file systems exported from server. Restrict who can have write access to the /etc/passwd client files. For strictest control, audit every host that is accessible through the network. Consider using the fstab nosuid command to protect the system against setuid programs that can run as root and damage the system. The default mount option is suid, which allows mounted programs with setuid permission to run with the permissions of their owners, regardless of who starts them. Therefore, if a program 5.10 Controlling File Security on a Network 107 with setuid permission is owned by root, it will run with root permissions, regardless of who starts it. 108 File System Security 6 Compartments This chapter describes the compartments feature of HP-UX 11i v3. This chapter addresses the following topics: • Overview (Section 6.1) • Planning the compartment structure (Section 6.2) • Compartment components (Section 6.3) • Compartment rules and syntax (Section 6.4) • Configuring a compartment (Section 6.5) • Troubleshooting compartments (Section 6.6) • Using discover mode to generate initial compartment configuration (Section 6.7) • Compartments in HP Servicegard Clusters (Section 6.8) 6.1 Overview Compartments are a method of isolating components of a system from one another. When configured properly, they can be an effective method to safeguard the HP-UX system and the data that resides on it. Compartments allow you to isolate processes, or subjects, from each other and also from resources, or objects. Conceptually, each process belongs to a compartment, and resources are handled in one of two ways: 1. The resource is labeled with the compartment of the creating process. This is how transient resources, such as communication endpoints and shared memory, are assigned a compartment. 2. Resources can be associated with an access list that specifies how processes in different compartments can access them, for persistent resources such as files and directories. That is, processes can access resources or communicate with processes belonging to a different compartment only if a rule exists between those compartments. Processes that belong to the same compartment can communicate with each other and access resources in that compartment without a rule. Compartments separate subjects from objects. This enables a virtual grouping of related subjects and objects. You can configure the system so that, if a service running in a compartment is compromised, it does not affect services running in other compartments. This restricts any damage to the affected compartment only. 6.1.1 Compartment Architecture Compartments isolate a process and its child processes within a system. Figure 6-1 shows a parent process that spawns a number of handler processes that need to access various 6.1 Overview 109 parts of the system. The compartments on the system are configured so that the processes can access the resources they need. Figure 6-1 Compartment Architecture Compartment server_parent process process relationship server_children files and/or directories lan cmpt 1 file access network parent IPC signals recorder All handler / handler handler /var/opt/server logs read e rit , w te d ri rea ,w d a re Network spool In Figure 6-1, the parent process is configured in a compartment, compartment A. As part of its functioning, the parent process spawns a number of handler processes in a different compartment, compartment B. The handler processes inherit the compartment configuration of the parent process. The network card that connects this system to the LAN is configured in another compartment, compartment C. The file system is configured to allow full access to compartment A, but only allow partial access to compartment B. Communication between the system components in their separate compartments is configured as follows: • • • 110 All handler processes are configured to communicate with the network. The recorder can access the file system. The handler processes have read, and read/write access to parts of the file system. Compartments • • The handler processes can communicate with the parent process, and with the recorder using IPC and signals. The network is isolated from the recorder and the parent process. This compartment configuration provides security for the file system and the recorder. Both are isolated by their compartments. Though the handler processes can communicate with the network, the network cannot be accessed by the recorder or the parent process. 6.1.2 Default Compartment Configuration When you enable compartments, a default compartment named INIT is created. When you boot up the system, the init process belongs to this compartment. The INIT compartment is defined to have access to all other compartments and is not defined in a compartment rules file. IMPORTANT: If you redefine the INIT compartment by creating explicit rules in a rules file, all special characteristics of the compartment are lost and cannot be restored without rebooting the system. 6.2 Planning the Compartment Structure Plan the compartment structure before you begin creating compartment rules. To plan the compartment structure, answer the following questions: • • • • Do you want to isolate different groups of users accessing this system? For example, is this system used by both the accounting department and the human resources department, and must these groups of users be kept separate? Do you want to isolate one network interface on this system, which communicates outside the firewall, from the rest of the system, which communicates only inside the firewall? Does the security policy include requirements or problems that can be solved by using compartments? Does the security policy specify or suggest a specific compartment rules configuration? When you have answered these questions, use the answers to determine how to assign parts of the system to specific compartments. Consider the following recommendations when planning the compartment configuration: • Put all compartment configuration files in the /etc/cmpt directory. You can use the #include directive to create compartment configuration files anywhere on the system. However, HP recommends that you avoid using this option. Instead, keep the compartment configuration files together and easy to locate. • Develop a separate compartment configuration for each component of the system. Unless there is a defined, specific software dependency between two components, do not mix rules for different components. One component compartment does not 6.2 Planning the Compartment Structure 111 contain rules referring to compartments for another component. If you must remove a component, you can modify the compartment configuration more easily if the compartment configurations are kept separate. • Create a single compartment configuration file for each software component. This enables you to remove the compartment configuration easily if you remove the software from the system. You can also find all rules pertaining to the software component easily. • Some software products are shipped with compartment rules already configured. Avoid modifying these rules. Before you make modifications to shipped compartment configurations, be sure you understand the existing configuration. Read the documentation for the software product and examine the existing configuration carefully. CAUTION: Do not redefine the existing INIT compartment. If you attempt to change or redefine the INIT compartment, all automatically generated definitions will be destroyed and compartments will not function properly. 6.3 Compartment Components The compartments feature comprises a set of configuration files and commands you use to configure and administer compartments. Manpages are included to assist you in using the compartments features. These components are listed in the following sections: 6.3.1 Compartment Configuration Files Table 6-1 briefly describes the files you use with compartment components. Table 6-1 Compartment Configuration Files Configuration File Description /etc/cmpt The directory in which compartment rules files reside. /etc/cmpt/*.rules The file containing the compartment rules configured for the system. /etc/cmpt/cmpt.conf Compartment configuration file used to enable or disable the compartment login feature. /etc/cmpt/hardlinks/ hardlinks.config The file containing valid mount points to be scanned to check the consistency of compartment rules for files with multiple hardlinks pointing to them. 6.3.2 Compartment Commands Table 6-2 contains the commands you use to manage compartments. 112 Compartments Table 6-2 Compartment Commands Command Description cmpt_tune Queries, enables, and disables the compartments feature. setfilexsec Sets security attributes of binary files, including the compartment attribute. getfilexsec Displays security attributes associated with binary executable files, including the compartment attribute. getprocxsec Displays security attributes of processes, including the compartment attribute. getrules Displays the compartment rules currently active in the kernel. setrules Activates new or modified rules in the kernel. With the -p option, displays the modified rules for review without passing them to the kernel. vhardlinks Checks the consistency of compartment rules for files that have multiple hard links, to ensure that conflicting rules for access do not exist. 6.3.3 Compartment Manpages Table 6-3 contains the manpages associated with compartments. Table 6-3 Compartment Manpages Manpage Description compartments(4) Describes the HP-UX compartment files and rule syntax. compartments(5) Provides an overview of compartment functionality and describes the use of compartment rules. cmpt_allow_local(5) A kernel tunable that defines the default rule for inter-compartment local-to-local communications. This kernel tunable is available only if the HP-UX ContainmentPlus (version B.11.31.01 and later) product is installed on the system. cmpt_restrict_tl(5) Defines the restrictions for the inter-compartment communications through Streams Local Transport Drivers. These restrictions are available only if the HP-UX ContainmentPlus (version B.11.31.02 and later) product is installed on the system. cmpt_tune(1M) Describes cmpt_tune functionality and syntax. setfilexsec(1M) Describes setfilexsec functionality and syntax. getfilexsec(1M) Describes getfilexsec functionality and syntax. getprocxsec(1M) Describes getprocxsec functionality and syntax. 6.3 Compartment Components 113 Table 6-3 Compartment Manpages (continued) Manpage Description getrules(1M) Describes getrules functionality and syntax. setrules(1M) Describes setrules functionality and syntax. vhardlinks(1M) Describes vhardlinks functionality and syntax. compartment_login(5) Describes the compartment login feature. pam_hpsec(5) Extended authentication, account, password, and session service module for HP-UX. 6.4 Compartment Rules and Syntax A compartment consists of a name and a set of rules. This section describes the four types of compartment rules: • • • • File system rules IPC rules Network rules Miscellaneous rules Add rules to a rules file you create in the /etc/cmpt directory. You can edit this file using vi or a similar text editor. The rules file must have a .rules extension. See compartments(5) for additional information. 6.4.1 Compartment Definition Define compartments by configuring a name for each compartment, and associating one or more compartment rules with the compartment name. You can specify rules in any order. The syntax for a compartment definition is as follows: [sealed] [discover] compartment new_compartment_name { rules } If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system, compartment definitions use the following format: [sealed] [discover] [system] [blocked] compartment new_compartment_name { rules } where: sealed discover 114 Compartments (Optional) A process in this compartment cannot gain privileges or change compartments by calling execve. (Optional) Discover and automatically add rules so that compartment violations are overridden. This is a development feature to determine the rules necessary, and should not be used on a production system. See Section 6.7 for more information on this keyword. system (Optional) Indicates that this compartment shares the ownership of network interfaces with default compartments, such as the init compartment, and other compartments that are marked as system compartments. The ownership of network interfaces are typically specified by network interface rules. When a compartment is marked as a system compartment, all of the network interfaces that are configured to belong to this compartment are also considered as belonging to the init compartment and all other compartments that are marked as system compartments. The init compartment will be in favor of using these network interfaces for network communications, over using the other network interfaces. When a compartment is marked as system compartment, it also shares the connectivities through loopback interfaces with the init compartment. The system keyword is valid only if the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system. blocked (Optional) Indicates that no processes can be launched in this compartment from other compartments, either through calling the cmpt_change() routine or through executing a binary file that is configured with a compartment name as one of its extended security attributes (see setfilexsec(1M)). The blocked keyword is valid only if the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system. compartment Designates that the rule is a compartment definition. new_compartment_name The label associated with the new compartment. This label is case sensitive. For example, compartmenta and CompartmentA are different compartments. {} Enclose the rules for this compartment. In the following example, the server_children compartment is denied all access to any file system objects: sealed compartment server_children { /permission none / } 6.4 Compartment Rules and Syntax 115 In the following example, the ifaces compartment shares the ownership of lan0 and lan1 with the init compartment. The init compartment will be in favor of using lan0 and lan1 for network communications, over using the network interfaces that are owned by other compartments. system compartment ifaces { interface lan0 interface lan1 } NOTE: The INIT compartment name is not case sensitive. INIT, init, and Init are all treated as the same compartment by the system. Compartment specifications are preprocessed with cpp() before parsing begins. This is why you use cpp() directives such as #include, #define, #ifdef, and C-style comments to organize and document rules files. 6.4.2 File System Rules File system rules govern access by processes to files and directories on the system. File system rules are inherited from a parent directory to all subdirectories and files within the parent, unless an explicit rule overrides inheritance. By default, if no permissions are specified, all permissions are granted for a file system object. When multiple file system rules are defined for the same pathname, the rules will be aggregated. That is, the union of the permissions is taken. The syntax for file system rules is as follows: (permission|perm) permission_list file_object where: permission or perm permission_list 116 Compartments Sets permissions for a file or directory. The types of permission you can apply to a file or directory are: • none: Denies all permissions to a file or directory. • read: Controls the read access to the object. If the object is a file, reading and executing the file is controlled. If the object is a directory, searching and listing the directory is controlled. Additionally, due to inheritance, reading of all files under the directory is controlled. Files must have read access in order to be opened for execution. • nread: Controls search and read access to the file_object. The rule has an effect only if file_object is a directory. It allows processes in the compartment not only to lookup in the directory (see the nsearch parameter), but also to list contents of the directory. Similar to the nsearch parameter, this access control is not inherited. Therefore, even if a directory is searchable and readable, any directory or file underneath it is not searchable or readable unless it is explicitly allowed. The nread keyword is valid only if the HP-UX ContainmentPlus product is installed on the system. • • • • file_object write: Controls the write access to the object. If the object is a file, writing to the file is controlled. If the object is a directory, due to inheritance, writing for all files under the directory is controlled. create: Controls the ability to create objects. This applies to directory objects only. This is inherited by all directories under the specified directory. unlink: Controls the ability to delete objects. This applies to directory objects only. This is inherited by all directories under the specified directory. nsearch: Controls the ability to search for an element if the file_object is a directory. This attribute is not inherited by subdirectories. The full path name of the file or directory. For example: /* deny all permissions except read to entire system */ perm read / /* except for this directory */ perm read,write,create,unlink /var/opt/server /* just read and write log files, not create them */ perm read,write /var/opt/server/logs NOTE: To grant any permission on a file system object, the compartment must have a minimum of read permission on every directory above that object. For example, to grant read and write permissions on /var/opt/tmp/file1, you must grant read permissions on /var/opt/tmp, /var/opt, /var, and /. 6.4.3 IPC Rules Interprocess communication (IPC) rules govern how processes use interprocess communication methods between compartments. IPC communication methods include direct process-to-process communication or shared access to an IPC object. When an 6.4 Compartment Rules and Syntax 117 object is associated with a process, the object exists in the same compartment as the process that created it. You define compartment rules to describe the relationship between the process accessing the object and the object being accessed. When the rule describes two processes communicating with each other, you treat the second process as an object. The default behavior for IPC objects is that all operations between different compartments are prohibited unless explicitly allowed by a rule. There are two types of IPC rules. The syntax for the first rule type is as follows: (grant|access) (pty|fifo|uxsock|ipc) compartment_name (grant|access) [pty][, fifo][, uxsock][, ipc] compartment_name If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system, a new keyword tl is also supported and the first form of IPC rules uses the following format: (grant|access) (pty|fifo|uxsock|ipc|tl) compartment_name (grant|access) [pty][, fifo][, uxsock][, ipc] [, tl] compartment_name where: Access Method Specifies whether the rule is object-centric or subject-centric. The options are: • grant: Specifies an object-centric rule. This rule allows processes in the compartment compartment_name to access the specified IPC mechanism in the current compartment. • access: Specifies a subject-centric rule. This rule allows processes in the current compartment to access the specified IPC mechanism in the compartment compartment_name. Specifies the method of communication this rule applies to. The options are: • • • • • pty: Specifies that the rule applies to pty used in interprocess communication. fifo: Specifies that the rule applies to FIFOs. uxsock: Specifies that the rule applies to UNIX domain sockets. ipc: Specifies that the rule applies to SYSV and POSIX IPC objects, such as shared memory, semaphores, and message queues. tl: Applies to Streams Local Transport Drivers that are used to communicate between processes. The tl keyword is valid only if the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system. See compartments(4). The tl keyword only has 118 Compartments effect when the cmpt_restrict_tl tunable is set to 1. See t_open(3), t_connect(3), and cmpt_restrict_tl(5). compartment_name The name of the other compartment where processes in this compartment can communicate with. When multiple IPC rules are defined for the same compartment, the rules will be aggregated. That is, the union of the IPC mechanisms is taken. For example: /* allow the children to access UNIX domain */ /* sockets created by the parent compartment */ grant uxsock server_children The second type of IPC rule governs process access. The syntax for this type of rule is as follows: (send|receive) signal compartment_name where: Direction Specifies whether processes in the current compartment have access to view and alter process behavior from another specified compartment. The options are: • send: Specifies a subject-centric rule. Allows processes in the current compartment to send signals and view process data in the compartment compartment_name. • receive: Specifies an object-centric rule. Allows processes in the compartment compartment_name to send signals and view process data in the current compartment. signal Specifies that this rule applies to signals and process visibility. compartment_name The name of the other compartment where processes in the current compartment can have access to view process information or to be viewed from. For example: /* allow the parent to send signals to children */ send signal server_children 6.4.4 Network Rules Network rules control access between a process and a network interface, as well as between two processes using loopback communications. They do not control the communications through Streams Local Transport Drivers (see cmpt_restrict_tl(5) and the tl keyword). These rules control the direction of network traffic (incoming, outgoing, or both) between the subject compartment and the target compartment specified in the rule. For loopback 6.4 Compartment Rules and Syntax 119 communications, the subject and target compartments should be of the processes that are communicating and not that of the interface being used for communication. Each rule is specified by protocol (TCP, UDP, or any raw protocol number) and the target compartment, and can optionally filter based on local or peer port numbers (TCP and UDP only). If an explicit rule does not match a communication attempt, the default is to deny communication. If the HP-UX ContainmentPlus product is installed on the system, the default rule for access between two processes through loopback communications (excluding those through loopback interfaces) is also configurable through the cmpt_allow_local tunable. See ifconfig(1M) for more information about loopback interfaces. See cmpt_allow_local(5) for more information upon installation of the HP-UX ContainmentPlus product. The syntax for a network rule is as follows: (grant|deny) (server|client|bidir) (tcp|udp|raw [protonum] ) [port port_num] [peer[portport]] compartment_name If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system, the network rules using the following formats are also supported: (grant-local|deny-local) (server|client|bidir) (tcp|udp|raw [protonum] ) [port port_num] [peer[portport]] compartment_name where: Access Direction 120 Compartments Grants or denies the compartment access to the network traffic in the specified compartment. The options are: • grant: Allows access to the network (both access between a process and a network interface, as well as between two processes using loopback communications) described by this rule. • deny: Denies access to the network (both access between a process and a network interface, as well as between two processes using loopback communications) described by this rule. • grant-local: Allows access described by this rule between two processes using loopback communications. The grant-local keyword is valid only if the HP-UX ContainmentPlus product is installed on the system. • deny-local: Denies access described by this rule between two processes using loopback communications. The deny-local keyword is valid only if the HP-UX ContainmentPlus product is installed on the system. Specifies which direction the rule applies to. The options are: • server: This rule applies to inbound requests only. For TCP, only incoming connections are controlled by this • • rule. For UDP and RAW, this rule applies to all inbound packets. client: This rule applies outbound requests only. For TCP, only connection initiations are controlled by this rule. For UDP and RAW, this rule applies to all outbound packets. bidir: This rule applies to both inbound and outbound requests. For TCP, connections initiated and received by the endpoint are controlled by this rule. For UDP and RAW, this rule applies to all packets passing through the endpoint. Protocol Specifies the networking protocol that applies to this rule. The options are: • tcp: This rule applies to the TCP protocol. • udp: This rule applies to the UDP protocol. • raw: This rule applies to any other protocol in the INET domain. protonum The protocol number specified for this rule. The protonum option is relevant only for raw specification. port (Optional) Specifies that this rule applies to a specific port. port Identifies the port specified in this rule. peer (Optional) The port information applies to the peer endpoint involved in the communication for this rule. compartment_name Specifies the name of the compartment that is the target of the rule. This is usually the interface compartment name, but can also be specified as another compartment to indicate a loopback communication. For example: /* allow all inbound TCP connections(any port)from interfaces labeled lancmpt1 */ grant server tcp lancmpt1 /* allow DNS client lookups (both TCP and UDP) through interface labeled lancmpt1 */ grant client tcp port 53 lancmpt1 grant bidir udp port 53 lancmpt1 /* allow only outbound telnet connections through interface labeled ifacelan0 */ grant client tcp peer port 23 ifacelan0 /* allow all TCP traffic except inbound telnet through interface labeled ifacelan0 */ /* the following two lines can be specified in either order */ grant bidir tcp ifacelan0 deny server tcp port 23 ifacelan0 /* allow inbound web server traffic through interface lan1cmpt */ 6.4 Compartment Rules and Syntax 121 grant server tcp port 80 lan1cmpt The network rules control how a process can communicate on a given port and interface, as well as how the process can bind to a port or address. In other words, the network rules are enforced at the time a communication takes place, and when a process calls the bind routine. The multibind facility enables processes to attach to IFADDR_ANY on a specific port in different compartments having disjoint set of interface rules. When multiple network rules are defined for the same compartment, the rules will be aggregated. That is, the union of all the rules is taken. For more information about network rules, see compartments(4). 6.4.5 Miscellaneous Rules These are rules that do not fit neatly into any other rules category. Network Interface Rules A network interface rule specifies the compartment that an interface belongs to. A network interface that is not in a compartment cannot be brought on line. NOTE: For stricter security policies, configure network interfaces in separate compartments from those assigned to processes. Define rules for network access for each compartment accordingly. Equal compartments are always granted full access to one another. The network interface rule syntax is as follows: compartment compartment_name { interface interface_or_ip[,interface_or_ip][...] } where: interface interface_or_ip[,interface_or_ip][...] Specifies that this is an interface definition. A comma-separated list of interface names, IP address, or range of IP addresses. IP addresses or ranges can be specified as IPv4 addresses or IPv6 addresses with an optional mask. For example: compartment iface0 { /* Define the compartment for the network interface lan0 */ interface lan0 /* All addresses in the range 192.168.0.0-192.168.0.255 */ interface 192.160.0.0/24 } compartment other_ifaces { /* Define the compartment for two of the other network interfaces */ interface lan1,lan5 122 Compartments NOTE: When APA is used in LAN MONITOR mode, the following rules must be met: • The primary interface, lan0, must be assigned to the proper compartment. • The secondary interface, lan1, is either not assigned to any compartment or is assigned to the same compartment as lan0. • The aggregate interface, lan900, is either not assigned to any compartment or is assigned to the same compartment as lan0. HP recommends that you leave lan900 unassigned in case APA changes the naming scheme. In this example, lan0 and lan1 are aggregated into lan900. For more information on APA, see apa(7). Privilege Limitation Rules A privilege limitation rule controls privilege inheritance. Any privilege named in a privilege limitation rule cannot be obtained when calling execve(2). The syntax for privilege limitation rules is: disallowed privileges privilege[,privilege[...]] where: disallowed privileges privilege[,privilege[...]] Specifies this as a privilege limitation rule. A comma-separated list of privileges. You can use the following additional keywords: • • • all: disallows all privileges none: allows all privileges !: denotes except For example: /* Disallow all privileges except mount. */ disallowed privileges all,!mount /* Disallow mount only. */ disallowed privileges none,mount If privilege limitation rules are not specified for a compartment, the default privilege limitation is basicpolicy,mknod for every compartment except the INIT compartment. The INIT compartment default privilege limitation is none. When multiple disallowed privilege rules are defined, the rules will be aggregated. Refer to priv_str_to_set(3) for information on how the privileges string will be aggregated to the privilege set. 6.4.6 Example Rules File An example rules file is located in /etc/cmpt/examples/sendmail.example. 6.4 Compartment Rules and Syntax 123 6.5 Configuring Compartments This • • • • section discusses the following topics: Activating compartments (Section 6.5.1) Defining a compartment configuration (Section 6.5.2) Running an application in a compartment (Section 6.5.3) Login directly in a compartment (Section 6.5.4) 6.5.1 Activating Compartments To activate compartment rules on the system, follow these steps: 1. Plan the compartment rules. See Section 6.2 for more information. TIP: HP recommends you plan the compartment rules configuration carefully. After you have edited the configuration and implemented it on a production system, it becomes difficult to change. When you change a compartment configuration, you must make changes to user procedures, scripts, and tools. 2. 3. Create compartment rules. See Section 6.4 for instructions on completing this step and for a complete description of compartment rules syntax. (Optional) Preview the compartment rules by entering the following command: # setrules -p The -p option parses the configured rules list and reports any discrepancies in syntax and semantics. HP recommends that you follow this step before enabling compartment rules on the system. 4. 5. (Optional) Make backup copies of the compartment configuration files. Either put these files outside the /etc/cmpt directory or omit the .rules suffix. Doing this lets you easily revert to the starting point if an editing problem occurs. Enable the compartments feature by entering the following command: # cmpt_tune -e 6. TIP: Reboot the system. This step is mandatory. Keep the backup files; this makes it easier to revert to a prior configuration. 6.5.2 Defining a Compartment Configuration You can create new compartments and modify existing compartments without rebooting the system. If you enable or disable the compartment feature, or completely remove a compartment, you must reboot the system. However, if you remove all rules associated with a compartment and all references to that compartment, you can leave the compartment on the system until the next reboot. 124 Compartments See Section 6.5.2.2 for more information about the implications of changing the name of a compartment. You can add new compartment rules, delete unneeded rules, and modify existing rules. You can also change the names of existing compartments. The application containment wizard, contain, can be used to simplify this configuration process. See compartment_login(5) for more information. To following sections describe how to modify compartment configuration. 6.5.2.1 Changing Compartment Rules 1. 2. (Optional) Make temporary backup copies of the configuration files you plan to modify. Either put these files outside the /etc/cmpt directory or omit the .rules suffix. Doing this lets you easily revert to the starting point if an editing problem occurs. Use the following command to examine the current compartment rules: # getrules 3. 4. Create or modify compartment rules. See Section 6.4 for instructions on completing this step and for a complete description of compartment rules syntax. (Optional) Preview the compartment rules by entering the following command: # setrules -p The -p option parses the configured rules list and reports any discrepancies in syntax and semantics. HP recommends that you follow this step before enabling compartment rules on the system. 5. 6. (Optional) Make backup copies of the compartment configuration files. Run the setrules command to load the configured rules: # setrules 6.5.2.2 Changing Compartment Names You can change the names of compartments. However, changing the name of a compartment can affect applications that are already configured with the existing compartment names. If you change the name of a compartment, you must reconfigure any applications configured in that compartment as well. NOTE: If you rename a compartment, you have essentially created a new compartment and removed the compartment with the old name. You must change all references to see the new compartment. The old compartment continues to exist on the system until a reboot. 6.5.3 Running an Application in a Compartment You can configure an application to run in a particular compartment by using one of the following options: 6.5 Configuring Compartments 125 • The setfilexsec command to configure the compartment attribute of a binary file. For example, to configure the application apple into the compartment fruit, enter the following command: # setfilexsec -c fruit apple • HP-UX RBAC,see Section 8.5.5. 6.5.4 Login Directly to a Compartment The compartment login configuration enables users and administrators to login directly to a compartment. It provides a mechanism to set controls on those users that are allowed to login to a service running in a specified compartment or prevent access to the system based on previously configured authorization information. NOTE: The Compartment Login feature is only supported on standard systems, it is not supported on trusted systems. For more information, see HP-UX Compartment Login using Secure Shell (SSH): www.hp.com/go/hpux-security-docs Click HP-UX 11i Security Containment Software. 6.6 Troubleshooting Compartments If something is not working on the system and you suspect the problem is occurring because of the compartment structure, you can check the compartment rules as follows. Problem 1: Access is not being controlled according to the compartment rules I configured. Solution: the rules may not be set in the kernel. To check whether the rules are set in the kernel, follow these steps: 1. Use the following command to list the valid compartment rules in the kernel. # getrules 2. Use the following command to list all rules configured on the system, including rules that have not been loaded into the kernel. # setrules -p 3. Compare the output of the two commands. If they are the same, all rules are loaded into the kernel. If the output differs, you need to load rules into the kernel. 4. Use the following command to load rules into the kernel. : # setrules Problem 3: Access to a file is not functioning properly. Solution: If multiple hard links point to this file, the compartment rules configuration may contain inconsistent rules for accessing the file. To check for inconsistencies, follow these steps: 126 Compartments 1. Execute the following command: # vhardlinks If the output shows an inconsistency, go on to step 2. 2. Modify the rules to remove the inconsistency. Follow the procedure described in Section 6.5.2. Problem 4: Network server rules do not appear in getrules output. Solution: Because of the way rules are managed internally, network server rules for a given compartment can be listed in the target compartment output of the getrules command. For example: /* telnet compartment rule to allow incoming telnet requests through compartment labeled ifacelan0 */ grant server tcp port 23 ifacelan0 If this rule is specified, it appears listed under the ifacelan0 compartment output of getrules. ACCESS Grant client PROTOCOL tcp SRCPORT 0 DESPORT 23 DESCMPT telnet 6.7 Using Discover Mode to Generate Initial Compartment Configuration A compartment definition can be tagged with the keyword discover. See Section 6.4.1. The discover keyword instructs the system to discover all of the rules necessary to make the application function correctly. This feature is intended to only be used in a test environment. To use discover mode, mark a compartment as discover and run the application as you normally would. The system identifies all resource accesses and creates the required rules. After the initial execution of the application, use the getrules –m compartment_name command to generate a machine readable version of rules. NOTE: The system does not discover nread and grant-local. The system discovers read rules for nread access and discovers grant rules for grant-local access. The system generated rules are required to make the application function successfully in the test environment, but may need to be generalized. For example, the system may generate a rule that involves a port number in anonymous port range, where the kernel, not the application, selects the port number. When the application is run again, it may end up with a different port number, requiring a different rule. The rule may need to be generalized such that either all ports or at least the port numbers in the anonymous port range are specified. 6.7 Using Discover Mode to Generate Initial Compartment Configuration 127 6.8 Compartments in HP Serviceguard Clusters If you use compartments with HP Serviceguard, you must configure all Serviceguard daemons in the default INIT compartment. However, you can configure Serviceguard packages in other compartments. See the latest editions of Managing Serviceguard and Using Serviceguard Extension for RAC for daemons required in Serviceguard and Serviceguard extensions for Oracle Real Application Cluster (RAC). Serviceguard packages can belong to specific compartments. Applications monitored as part of a Serviceguard package can also be configured in specific compartments. When you set up the compartment for a package, be sure that the resources required by that package (such as volume groups, file systems, network addresses, and so on) are accessible by that compartment. Compartment rules are node-specific and do not get carried over during Serviceguard failover operations. To ensure proper operation after a failover, all nodes in the cluster must have identical compartment configurations. When a primary LAN interface fails over to a standby LAN interface, the compartment label of the primary interface is automatically copied over to the standby interface as long as the standby is not online. If the standby interface is already configured online, the standby interface and the primary interface must be configured in the same compartment to fail over successfully. If the standby interface is configured in a different compartment from the primary interface, but is offline at the time of the failover, the standby interface is updated to the primary interface compartment configuration when the interface fails over. To maintain proper Serviceguard operations when deploying compartments in HP Serviceguard nodes or packages: • • • • • • 128 Do not modify the INIT compartment specifications in any way. Ensure inetd runs in the INIT compartment. Ensure that all Serviceguard daemons in a cluster run in the INIT compartment. For example, the daemons for Serviceguard Version A.11.16 include cmclconfd, cmcld, cmlogd, cmlvmd, cmomd, and cmsnmpd. See Managing Serviceguard for a list of all Serviceguard daemons. Ensure that all Serviceguard cluster requirements are met for Serviceguard Extensions for RAC clusters. Additionally, clusters with Serviceguard Extension for RAC Version A.11.16 need the cmsmgd daemon to run in the INIT compartment. RAC processes must have access to the libnmapi2 library, and must communicate with cmsmgd. See Using Serviceguard Extension for RAC for required daemons and libraries. Do not configure standby LAN interfaces in a compartment. Set up the compartments and rules identically on all nodes in the cluster. Compartments and rules are specific to a system and do not get carried over when a system fails over. Compartments NOTE: If a standby interface is configured in a compartment, running the setrules command applies this compartment to the standby interface even if it has been successfully switched from a primary interface. If the configured standby interface compartment does not match the primary interface compartment, the primary interface compartment is overwritten when you run setrules. This can cause security violations. There are no changes made to the Serviceguard scripts to facilitate the use of compartments, fine-grained privileges, or RBAC. 6.8 Compartments in HP Serviceguard Clusters 129 130 7 Fine-Grained Privileges This chapter describes the fine-grained privileges feature of HP-UX 11i . This chapter addresses the following topics: • Overview (Section 7.1) • Fine-grained privileges components (Section 7.2) • Available privileges (Section 7.3) • Configuring applications with fine-grained privileges (Section 7.4) • Security implications of fine-grained privileges (Section 7.5) • Fine-grained privileges in HP Serviceguard Clusters (Section 7.6) • Troubleshooting fine-grained privileges (Section 7.7) 7.1 Overview The UNIX operating system traditionally uses an "all or nothing" privilege model, in which superusers (those with effective UID=0, such as the root user) have virtually unlimited power, and other users have few or no special privileges. HP-UX provides several legacy methods of delegating limited powers, including restricted smh(1M), the privilege groups described in privgrp(4), the shutdown.allow file described in shutdown(1M), and the cron.allow file described in crontab(1). These legacy methods can be replaced by the use of fine-grained privileges and the HP-UX RBAC access control framework. The HP-UX fine-grained privilege model splits the powers of superusers into a set of privileges. Fine-grained privileges are granted to processes. Each privilege grants a process that possesses that privilege the right to a certain set of restricted services provided by the kernel. See privileges(5) for more information. 7.2 Fine-Grained Privileges Components The fine-grained privileges feature of HP-UX 11i include configuration files, commands, and manpages. You can use these components to configure and administer fine-grained privileges. 7.2.1 Commands Table 7-1 briefly describes the fine-grained privileges commands. 7.1 Overview 131 Table 7-1 Fine-Grained Privileges Commands Commands Description setfilexsec Sets security attributes of binary files. The attributes include retained privileges, permitted privileges, compartment, and the privilege start flag. getfilexsec Displays security attributes associated with binary executable files. The attributes include retained privileges, permitted privileges, compartment, and security attribute flags. getprocxsec Displays security attributes associated with a running processes. The attributes include the effective privilege set, retained privilege set, permitted privilege set, euid, and the compartment name. 7.2.2 Manpages Table 7-2 briefly describes the fine-grained privileges manpages. Table 7-2 Fine-Grained Privileges Manpages Manpage Description privileges(5) Overview of HP-UX privileges. privileges(3) Describes fine-grained privileges interfaces. setfilexsec(1M) Describes setfilexsec functionality and syntax. getfilexsec(1M) Describes getfilexsec functionality and syntax. getprocxsec(1M) Describes getprocxsec funtionality and syntax. 7.3 Available Privileges Fine-grained privileges are primarily targeted for developers. However, an administrator may still need to understand the privileges to understand how such applications work and to find if any unauthorized applications have gained privileges. Table 7-3 lists the privileges and their primary purposes. Table 7-3 Available Privileges 132 Privilege Description PRIV_ACCOUNTING Allows a process to control the process accounting system. PRIV_AUDCONTROL Allows a process to start, modify, and stop the auditing system. PRIV_CHANGECMPT Grants a process the ability to change its compartment. PRIV_CHANGEFILEXSEC Allows a process to grant privileges to binaries. PRIV_CHOWN Allows a process to access the chown() system calls. Fine-Grained Privileges Table 7-3 Available Privileges (continued) Privilege Description PRIV_CHROOT Allows a process to change its root directory. PRIV_CHSUBJIDENT Allows a process to change its UIDs, GIDs, and group lists. Also allows a process to leave the suid or sgid bits set on the file when the chown() system call is used. PRIV_CMPTREAD Allows a process to open a file or directory for reading, executing, or searching, bypassing compartment rules that otherwise would not permit these operations. PRIV_CMPTWRITE Allows a process to write to a file or directory, bypassing compartment rules that otherwise would not permit this operation. PRIV_COMMALLOWED Allows a process to override compartment rules in the IPC and networking subsystems. PRIV_CORESYSATTR Enables a process to manage system attributes including the setting of tunables and modifying user quotas. This privilege is valid only when the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system. PRIV_DACREAD Allows a process to override all discretionary read, execute, and search access restrictions. PRIV_DACWRITE Allows a process to override all discretionary write access restrictions. PRIV_DEVOPS Allows a process to do device administrative operations that are not specific to streams-based or pseudo terminals. NOTE: If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system, the PRIV_DEVOPS privilege is divided into PRIV_RDEVOPS and PRIV_PTYOPS. See “Compatibility Information for Divided Privileges” (page 135). PRIV_DLKM Allows a process to load a kernel module, get information about a loaded kernel module, and change global search paths for a dynamically loadable kernel module. PRIV_FSINTEGRITY Allows a process to perform disk operations such as removing or modifying the size or boundaries of disk partitions, or to import and export an LVM volume group across the system. PRIV_FSMOUNT Allows a process to mount and unmount a file system using the mount() and umount() system calls. This privilege is valid only when the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system. PRIV_HOSTATTR Enables a process to modify the host name and domain name. This privilege is valid only when the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system. 7.3 Available Privileges 133 Table 7-3 Available Privileges (continued) Privilege Description PRIV_LIMIT Allows a process to set resource and priority limits beyond the maximum limit values. PRIV_LOCKRDONLY Allows a process to use the lockf() system call to lock files opened with read-only permission. PRIV_MKNOD Allows a process to create character or block special files using the mknod() system call. PRIV_MLOCK Allows a process to access the plock system call. PRIV_MOUNT Allows a process to mount and unmount a file system using the mount() and umount() system calls. NOTE: If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system, the PRIV_MOUNT privilege is divided into PRIV_FSMOUNT and PRIV_SWAPCTL. See “Compatibility Information for Divided Privileges” (page 135). PRIV_MPCTL Allows a process to change processor binding, locality domain binding, or launch policy. PRIV_NETADMIN Allows a process to perform network administrative operations including configuring the network routing tables and querying interface information. PRIV_NETPRIVPORT Allows a process to bind to a privileged port. By default, port numbers 0-1023 are privileged ports. PRIV_NETPROMISCUOUS Allows a process to configure an interface to listen in promiscuous mode. PRIV_NETRAWACCESS Allows a process to access the raw internet network protocols. PRIV_OBJSUID Allows a process to set the suid or sgid bits on any file if the process has the OWNER privilege. It also allows a process to change the ownership of a file without clearing the suid or sgid bits, provided that the process is allowed to change the ownership of the file. PRIV_OWNER Allows a process to override all restrictions with respect to UID matching the owner of the file or resource. PRIV_PSET Allows a process to change the system pset configuration. PRIV_PTYOPS Allows the process to do administrative operations that are streams-based or pseudo terminal specific. This privilege is valid only when the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system. 134 Fine-Grained Privileges Table 7-3 Available Privileges (continued) Privilege Description PRIV_RDEVOPS Allows the process to do device administrative operations that are non-pseudo terminal specific. This privilege is valid only when the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system. PRIV_REBOOT Allows a process to perform reboot operations. PRIV_RTPRIO Allows a process to access the rtprio() system call. PRIV_RTPSET Allows a process to control RTE psets. PRIV_RTSCHED Allows a process to set POSIX.4 real-time priorities. PRIV_RULESCONFIG Allows a process to add and modify compartment rules on the system. PRIV_SELFAUDIT Allows a process to generate auditing records for itself using audwrite() system call. PRIV_SERIALIZE Allows a process to use the serialize() system call force a target process to run serially with other processes marked for serialization. PRIV_SPUCTL Allows a process to do certain administrative operations in the Instant Capacity product. PRIV_SWAPCTL Allows a process to manage swap space using the swapctl() system call. This privilege is valid only when the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system. PRIV_SYSATTR Allows a process to manage system attributes, including the setting of tunables, modifying the host name, domain name, and user quotas. NOTE: If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system, the PRIV_SYSATTR privilege is divided into PRIV_CORESYSATTR and PRIV_HOSTATTR. See “Compatibility Information for Divided Privileges” (page 135). PRIV_SYSNFS Allows a process to perform NFS operations like exporting a file system, the getfh() system call, NFS file locking, revoking NFS authentication, and creating an NFS kernel daemon thread. PRIV_TRIALMODE Allows a process to log trial mode information to the syslog file. 7.3.1 Compatibility Information for Divided Privileges If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system, the PRIV_SYSATTR, PRIV_MOUNT and PRIV_DEVOPS privileges are each divided into two privileges. The PRIV_SYSATTR privilege is divided into 7.3 Available Privileges 135 PRIV_CORESYSATTR and PRIV_HOSTATTR. The PRIV_MOUNT privilege is divided into PRIV_FSMOUNT and PRIV_SWAPCTL. The PRIV_DEVOPS privilege is divided into PRIV_RDEVOPS and PRIV_PTYOPS. This new privilege model allows applications, when explicitly developed to be aware of HP-UX privileges (see privileges(5)), to have finer control over the administrative capabilities that were controlled by the PRIV_SYSATTR, PRIV_MOUNT and PRIV_DEVOPS privileges. System calls that manage a system's host and domain names (see setdomainname(2), sethostname(2), and setuname(2)) now require the PRIV_HOSTATTR privilege. System calls that manage a system's swap space (see swapctl(2) and swapon(2)) now require the PRIV_SWAPCTL privilege. System calls that manage streams-based terminals (see ldterm(7)) now require the PRIV_PTYOPS privilege. The above system calls will return -1 with errno set to either EPERM or EACCESS if the required privilege is not possessed by the calling process. To maintain backward compatibility for HP-UX privileges aware applications in the new privilege model, the string representation of the PRIV_SYSATTR, PRIV_DEVOPS, and PRIV_MOUNT privileges will continue to be supported as compound privileges [PRIV_CORESYSATTR and PRIV_HOSTATTR], [PRIV_RDEVOPS and PRIV_PTYOPS], and [PRIV_SWAPCTL and PRIV_FSMOUNT] in the user space. All HP-UX core kernel modules and commands have been updated to support the new privileges. This ensures standard and typical HP-UX privileges aware applications to continue to work in the new privilege model without requiring any changes unless you want to take advantage of the new privilege model to gain finer control. 7.4 Configuring Applications with Fine-Grained Privileges Applications that are written or modified to support fine-grained privileges are called privilege-aware applications. You must register privilege-aware applications using the setfilexsec command. Once registered, the security attributes associated with a binary file are stored in a configuration file and maintain persistence across reboot. This is normally done for you when you install and configure privilege-aware applications using the SD-UX utilities. Older HP-UX applications, or legacy applications, are not privilege-aware. You can configure legacy applications that run with UID=0 to run with fine-grained privileges. To configure legacy applications using HP-UX RBAC, see Section 8.5.4. 136 Fine-Grained Privileges TIP: HP recommends you use HP-UX RBAC to configure applications that require variable privileges to run. NOTE: Some of the fine-grained privileges are divided into more granularity. If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system, the PRIV_SYSATTR , PRIV_MOUNT, and PRIV_DEVOPS privileges are each divided into two privileges. By using the new privileges, a process can now allow a subset of the operations while disallowing the other. See privileges(5) and “Compatibility Information for Divided Privileges” (page 135). To configure security attributes for a privilege-aware application, use the setfilexsec command as follows: # setfilexsec [options] filename The setfilexsec command is meant to assign privileges to binaries on a local file system. Binaries that are obtained from a network file systems (NFS) should not be assigned privileges because if the file is modified by a different system (directly on the NFS server), the extended attributes set by setfilexsec are not removed. The options for setfilexsec are as follows: -d Deletes any security information for this file from the configuration file and the kernel. -D Deletes any security information for this file from the configuration file only. Used to clear security information for a deleted file. -r Add or change minimum retained privileges. -R Add or change maximum retained privileges. -p Add or change minimum permitted privileges. -P Add or change maximum permitted privileges. -f Sets the security attribute flags. The getfilexsec command displays the extended attributes of a binary file, set with the setfilexsec command. # getfilexsec filename 7.4 Configuring Applications with Fine-Grained Privileges 137 7.4.1 Privilege Model Each process has three privilege sets associated with it: • Permitted Privilege Set The maximum set of privileges a process can raise. The process can drop any privilege from this set, but cannot add any privileges to this set. Privileges from this set can be added to the effective privilege set of the process. • Effective Privilege Set The set of currently active privileges for a process. A privilege-aware process can modify effective privilege set to keep only the necessary privileges in this set at any given time. The process can remove any privilege from the effective privilege set, but can only add privileges from the permitted privilege set. The effective privilege set is always a subset of the permitted privilege set. • Retained Privilege Set The set of privileges retained when a process calls the execve system call. The process can remove any privilege from this set, but cannot add privileges to this set. The retained privilege set is always a subset of the permitted privileges set. The first process, init, starts with a small set of privileges. It then creates other processes that execute other binaries using exec family calls (execv, execve, and so on). During this exec call, the extended attributes of the binary, the attributes set with setfilexsec command, may cause these processes to gain privileges that their parent process do not have, or lose the privileges that the parent process had. For instance, if a binary has a permitted minimum of DACREAD (setfilexsec –p DACREAD has been performed on the binary), the new process will have the DACREAD privilege whether or not the parent process had that privilege. On the other hand, if process already has the DACREAD privilege, but if the binary it executes does not have this privilege in permitted max (for example, setfilexsec -P none …. has been performed on the file already), it would lose the privilege as a side-effect of executing the binary. 7.4.2 Compound Privileges Compound privileges are a shorthand way of specifying a predefined set of simple privileges. 138 Fine-Grained Privileges The following are compound privileges: • BASIC Basic privileges available to all processes by default. Processes may drop one or more privileges from this set. • BASICROOT Basic and privileges and privileges that provide powers usually associated with UID=0. • POLICY Policy override privileges and policy configuration privileges. Policy override privileges override compartment rules. Policy configuration privileges control how privileges are configured. For a complete list of the privileges in each of the compound privileges, see privileges(5). 7.5 Security Implications of Fine-Grained Privileges Fine-grained privileges are not propagated across distributed systems; they are applied only on the local system. For example a process on one system that has PRIV_DACREAD and PRIV_DACWRITE cannot override discretionary restrictions on another system to read or write to a file. 7.5.1 Privilege Escalation In certain situations, if you grant a process a certain privilege or set of privileges, that process can gain additional privileges that were not explicitly granted to it. This is called privilege escalation. For example, a process with the PRIV_DACWRITE privilege can overwrite critical operating system files and, in the process, can grant itself additional fine-grained privileges. 7.6 Fine-Grained Privileges in HP Serviceguard Clusters Privilege-aware applications can be monitored by HP Serviceguard. There are no changes to Serviceguard package configuration files or Serviceguard package management to support fine-grained privileges. No changes were made in Serviceguard scripts to facilitate the use of fine-grained privileges. To maintain proper Serviceguard operations when deploying HP-UX 11i fine-grained privileges to Serviceguard nodes or packages: • • Ensure root (UID=0) has full privileges in the INIT compartment. Ensure fine-grained privileges implementations do not create security risks for Serviceguard clusters. 7.5 Security Implications of Fine-Grained Privileges 139 7.7 Troubleshooting Fine-Grained Privileges If something is not working on the system and you suspect the problem is occurring because of fine-grained privileges, you can check the fine-grained privileges configuration as follows. Problem 1: Even though fine-grained privileges are assigned to a binary file, processes that use exec() to access the binary are not receiving the assigned fine-grained privileges. Solution: Check for one of the following situations. • Is the file in question a script? Any fine-grained privileges assigned to shell scripts are ignored. • Has the file changed since the fine-grained privileges were assigned? When a file is modified, its fine-grained privilege attributes are lost. Run the following command either before or after you modify the file: # setfilexsec -d filename Next, add the privilege attributes you want assigned to the file. See setfilexsec(1M) for more information about troubleshooting fine-grained privileges. Problem 2: A process has privileges it should not have, or does not have privileges it should have. Solution: Use the getprocxsec command to determine what privileges a process has: # getprocxsec -per pid This command displays the permitted, effective, and retained privilege sets for the process. For more information, see getprocxsec(1M) If the process does not have the correct privileges, configure the binary file that created this process with the correct privileges. See “Configuring Applications with Fine-Grained Privileges” for more information. 140 Fine-Grained Privileges Part III Protecting Identity In modern day global enterprise companies, managing identity is not an easy task, especially as identity management requirements grow to include employees, contractors, partners and suppliers across many countries with various privacy protection laws and regulation. HP-UX 11i simplifies user authentication and access management, while auditing all privileged actions that take place. This section discusses the following topics: • HP-UX Role-Based Access Control (Chapter 8) • Audit administration (Chapter 9) 141 142 8 HP-UX Role-Based Access Control The information in this chapter describes HP-UX Role-Based Access Control (HP-UX RBAC). This chapter addresses the following topics: • Overview (Section 8.1) • Access control basics (Section 8.2) • HP-UX RBAC components (Section 8.3) • Planning the HP-UX RBAC deployment (Section 8.4) • Configuring HP-UX RBAC (Section 8.5) • Using HP-UX RBAC (Section 8.6) • Troubleshooting HP-UX RBAC (Section 8.7) 8.1 Overview Security, especially platform security, has always been an important issue for enterprise infrastructure. Even so, many organizations often neglected or overlooked such security concepts as individual accountability and least privilege in the past. However, recently introduced legislation in the United States including the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act has helped to highlight the importance of these security concepts. Most enterprise environments have systems administered by multiple users. Typically, this is accomplished by providing the administrators with the password to a common, shared account, known as root. While the root account simplifies access control management by enabling administrators with the root password to perform all operations the root account also presents several inherent obstacles for access control management, for example: • • • After providing administrative users with the root password, there is no easy way to further constrain those users. In the best case, revoking access for a single administrator requires changing the common password and notifying other administrators. More realistically, simply changing the password is probably not sufficient to effectively revoke access because alternative access mechanisms might have already been implemented. Individual accountability with a shared root account is virtually impossible to achieve. Consequently, proper analysis after a security event becomes difficult, and in some cases impossible. The HP-UX Role-Based Access Control (RBAC) feature resolves these obstacles by providing the capability to assign sets of tasks to ordinary, but appropriately configured, user accounts. HP-UX RBAC also mitigates the management overhead associated with assigning and revoking individual authorizations on a per-user basis. 8.1 Overview 143 HP-UX RBAC offers the following features: • • • • Predefined configuration files specific to HP-UX, for a quick and easy deployment Flexible re-authentication via Plugable Authentication Module (PAM), to allow restrictions on a per command basis Integration with HP-UX audit system, to produce a single, unified audit trail Pluggable architecture for customizing access control decisions 8.2 Access Control Basics The goal of an access control system is to limit access to resources based on a set of constraints. Typically, these constraints and their associated attributes fit into the following categories: • • • Subject: The entity attempting to access the resource. In the context of an operating system, the subject is commonly a user or a process associated with a user. Operation: An action performed on a resource. An operation can correspond directly to an application or a command. In the case of HP-UX RBAC, the operation is a dot-separated, hierarchical string, such as hpux.user.add. Object: The target of the operation, which is often the same as the end resource, but which can be different. An access control request can be thought of as a question combining the previous elements, where the response to the question (usually allow or deny) determines whether access to the resource is granted. For example: Is the user ron authorized to perform the operation hpux.fs.mount on the object/dev/dsk/c0t1d0? Often, the term authorization is used as a synonym for access control. In HP-UX RBAC, authorization refers to the ability to perform an operation on an object. As shown in Table 8-1, a user can have a set of authorizations, each of which allows access to a resource. Table 8-1 Example of Authorizations Per User Operation Component of Authorization Users ron lisa jim liz hpux.user.password.modify • • • • hpux.network.nfs.start • hpux.user.add hpux.user.delete hpux.user.modify 144 HP-UX Role-Based Access Control Table 8-1 Example of Authorizations Per User (continued) Operation Component of Authorization Users hpux.network.nfs.stop • hpux.network.nfs.config • hpux.fs.backup • • hpux.fs.restore • • NOTE: Table 8-1 shows only the operation element of the authorizations—not the object element of the authorizations. 8.2.1 Simplifying Access Control with Roles In addition to the basic principals of access control discussed in the preceding overview, this section addresses how access control policy is represented and how decisions are made. The preceding overview of access control does not address how access control policy is represented and how decisions are made. One approach is to simply maintain a list of users and the authorizations (operation, object pairs) assigned to each of them. This approach has the advantage of being flexible, because each user's set of authorizations can be completely different from those of the other users. Unfortunately, this approach is also difficult to manage because as you add users, you must determine exactly which authorizations each user requires. Also, when performing audits, you must examine each user individually to determine his or her associated authorizations. HP-UX RBAC addresses these issues by grouping users with common authorization needs into roles. Roles serve as a grouping mechanism to simplify authorization assignment and auditing. Rather than assigning an authorization directly to a user, you assign authorizations to roles. As you add users to the system, you assign them a set of roles, which determine the actions they can perform and the resources they can access. Compare Table 8-2, which lists authorizations assigned to roles, with Table 8-1, which lists authorizations assigned to each user. By comparing these two tables, you can see how roles simplify authorization assignment. Table 8-2 Example of Authorizations Per Role Operation Component of Authorization Role UserAdmin hpux.user.add • NetworkAdmin BackupOper Admin • 8.2 Access Control Basics 145 Table 8-2 Example of Authorizations Per Role (continued) Operation Component of Authorization Role hpux.user.delete • • hpux.user.modify • • • hpux.user.password.modify hpux.network.nfs.start • • hpux.network.nfs.stop • • hpux.network.nfs.config • • hpux.fs.backup • • hpux.fs.restore • • NOTE: Table 8-2 shows only the operation element of the authorizations—not the object element of the authorization. 8.3 HP-UX RBAC Components Following is a list of the primary HP-UX RBAC components: 146 privrun wrapper command Based on authorizations associated with a user, privrun invokes existing legacy applications with privileges after performing authorization checks and optionally re-authenticating the user and without modifying the application. privedit command Based on the authorizations associated with a user, privedit allows users to edit files they usually would not be able to edit because of file permissions or Access Control Lists (ACLs). Privilege shells Privilege shells (privsh, privksh, and privcsh) that automatically invoke the access control subsystem to run commands with privileges when appropriate. management commands Edits and validates HP-UX RBAC database files. Access Control Policy Switch (ACPS) Determines whether a subject is authorized to perform an operation on an object. Access Control Policy Module (ACPM) Evaluates HP-UX RBAC databases files and applies mapping policies to service access control requests. HP-UX Role-Based Access Control SMH integration RBAC System Management Homepage (SMH) integration to allow the graphical management of the RBAC databases through a Web interface. The following sections discuss the HP-UX RBAC components in more detail. 8.3.1 HP-UX RBAC Access Control Policy Switch The HP-UX RBAC Access Control Policy Switch is a customizeable interface between applications that must make access control decisions and the access control policy modules that provide decision responses after interpreting policy information in RBAC databases. As shown in Figure 8-1, from its location in the HP-UX RBAC architecture, the ACPS provides an interface between the access control policy modules and the applications that make access control decisions. The ACPS has the following interfaces, described in detail in their respective manpages: • • • ACPS application programming interface (API) ACPS service provider interface (SPI) /etc/acps.conf The administrative interface for the ACPS is the /etc/acps.conf configuration file. The /etc/acps.conf configuration file determines which policy modules the ACPS consults, the sequence in which the modules are consulted, and the rules for combining the module's responses to deliver a result to the applications that need access control decisions. This ACPS implementation allows you to create a module to enforce custom policy without modifying existing role-based access control applications. NOTE: Refer to acps(4), acps.conf(4), acps_api(3), and acps_spi(3) for more information on the ACPS and its interfaces. 8.3.2 HP-UX RBAC Configuration Files Table 8-3 lists and briefly describes the HP-UX RBAC files. Table 8-3 HP-UX RBAC Configuration Files Configuration File Description /etc/rbac/auths Database file containing all valid authorizations. /etc/rbac/cmd_priv privrun database file containing command and file authorizations and privileges. /etc/rbac/role_auth Database file defining the authorizations for each role. /etc/rbac/roles Database file defining all configured roles. /etc/rbac/user_role Database file defining the roles for each user. 8.3 HP-UX RBAC Components 147 Table 8-3 HP-UX RBAC Configuration Files (continued) Configuration File Description /etc/acps.conf Configuration file for the ACPS. /etc/rbac/aud_filter Audit filter file identifying specific HP-UX RBAC roles, operations, and objects to audit. 8.3.3 HP-UX RBAC Commands Table 8-4 lists and briefly describes the HP-UX RBAC commands. Table 8-4 HP-UX RBAC Commands Command Description privrun Invokes legacy application with privileges after performing authorization checks and optionally re-authenticating the user. privedit Allows authorized users to edit files that are under access control. roleadm Edits of role information in the /etc/rbac/user_role, /etc/rbac/role_auth, and /etc/rbac/roles files. authadm Edits authorization information in the /etc/rbac/role_auth and /etc/rbac/roles files. cmdprivadm Edits command authorizations and privileges in the /etc/rbac/cmd_priv database. rbacdbchk Verifies authorizations and syntax in the HP-UX RBAC and privrun database files. 8.3.4 HP-UX RBAC Manpages Table 8-5 lists and briefly describes the HP-UX RBAC manpages. Table 8-5 HP-UX RBAC Manpages 148 Manpage Description rbac(5) Describes the HP-UX RBAC feature. acps(3) Describes the ACPS and its interfaces. acps.conf(4) Describes the ACPS configuration file and its syntax. acps_api(3) Describes the ACPS Application Programming Interface. aacps_spi(3) Describes the ACPS Service Provider Interface. privrun(1m) Describes privrun functionality and syntax. privedit(1m) Describes privedit functionality and syntax. roleadm(1m) Describes roleadm functionality and syntax. HP-UX Role-Based Access Control Table 8-5 HP-UX RBAC Manpages (continued) Manpage Description authadm(1m) Describes authadm functionality and syntax. cmdprivadm(1m) Describes cmdprivadm functionality and syntax. rbacdbchk(1m) Describes rbacdbchk functionality and syntax. privsh(5m) Overview of various privileged system shells. rbac.conf(4m) Configuration file for Role Based Access Control. key_filter(4m) Configuration file for the keystroke logging module. 8.3.5 HP-UX RBAC Architecture The primary component of HP-UX RBAC is the privrun command, which invokes existing commands, applications, and scripts. The privrun command uses the ACPS subsystem to make access control requests. An access request is granted or denied based on a set of configuration files that define user-to-role and role-to-authorization mappings. If the access request is granted, privrun invokes the target command with additional privileges, which can include one or more of either a UID, GID, fine-grained privileges, and compartments. The privileges are configured to enable the target command to run successfully. Figure 8-1 shows the HP-UX RBAC architecture. 8.3 HP-UX RBAC Components 149 Figure 8-1 HP-UX RBAC Architecture /usr/sbin/ cmdprivadm privrun Command, Auth Privilege Database privedit PAM, Name Service Switch access - control aware application access - control aware application AC PS AP I Access Control Policy Switch (ACPS) PAM Service Modules User Information (for example /etc/passwd ) AC P S SP I Other Policy ACPM Local RBAC ACPM KEY : Privilege Wrapper Command s Access Control Switch Valid System Roles User Role Database Role Authorization Database Valid System Auths RBAC Future Existing Components /usr/sbin/ rbacdbck /usr/sbin/ roleadm /usr/sbin/ authadm 8.3.6 HP-UX RBAC Example Usage and Operation Figure 8-2 and the subsequent footnotes show a sample invocation of privrun and the configuration files that privrun uses to determine whether a user is allowed to invoke a command. 150 HP-UX Role-Based Access Control Figure 8-2 Example Operation After Invoking privrun Authorizations Users MANY:MANY Roles /etc/rbac/user_role Operations 1:1 MANY:MANY Objects /etc/rbac/role_auth AC PS cmd, args, UID S ACP via via Process (shell ) MANY:MANY 4 Cmd, Privs /etc/rbac/cmd_priv 3 Drop all but defined privs Privrun 2 Command w/ Privileges 5 1 1. 2. 3. 4. 5. A process, specifically a shell, associated with the user executes privrun with the goal of executing a target command with elevated privilege. The target command line (command and arguments) is explicitly passed to privrun, and the UID of the invoking user is implicitly passed by the process context. privrun attempts to find a match (or set of matches) within the /etc/rbac/cmd_priv database for the specified command line. Each matching entry also specifies a required authorization (operation, object pair) and the resulting privileges if the user has the specified authorization. privrun makes a call (for each matching /etc/rbac/cmd_priv entry) to the ACPS. The HP-UX RBAC back end of the ACPS consults the /etc/rbac/user_role and /etc/rbac/role_auth databases to determine whether the user has the specified authorization, and passes this result back to privrun. Assuming that the user associated with the process has the required authorization specified in the /etc/rbac/cmd_priv database for the requested command, privrun will drop all privileges except those specified in the /etc/rbac/cmd_priv entry and execute the requested command. The privrun command is set to UID=0 and starts with all necessary privileges. 8.4 Planning the HP-UX RBAC Deployment Follow these planning steps before deploying HP-UX RBAC: 1. 2. 3. Plan roles for users. Plan authorizations for the roles. Plan the authorization-to-command mappings. The following sections describe these steps in more detail. 8.4 Planning the HP-UX RBAC Deployment 151 8.4.1 Planning the Roles Planning an appropriate set of roles for the users of a system is a critical first step in deploying HP-UX RBAC. In some enterprises, this set of roles already exists, and you can reuse it when configuring HP-UX RBAC. More commonly, you must design the roles based on the existing tasks associated with administrative users on the system. Consider the following guidelines when designing roles: • • • There should be considerably fewer roles than the total number of users of the system. If each user requires a special role, then all of the simplified management associated with the use of roles is no longer in place. Roles should have some relation to the actual business roles of the users. Users can have multiple roles, and therefore you can design some roles simply to group authorizations common to multiple business roles. Using this approach, you can design roles hierarchically to include different roles by including their authorizations. 8.4.2 Planning Authorizations for the Roles After defining roles, you can plan the authorizations associated with each role. If the roles align with the pre-existing operation hierarchy, then assigning the authorizations is straightforward. Enter the following command to list all the system-defined authorizations: # authadm list sys If the existing authorization hierarchy does not align with your roles, defining the authorizations associated with each role is more complex. You can use the following steps to help: 1. 2. 3. List the system commands commonly used by each role. Compare these commands to the commands in the /etc/rbac/cmd_priv database. If you find matching entries after performing the previous steps, use those entries as a guide for assigning authorizations. For example, assume one of the desired roles is UserOperator, which commonly runs such commands as useradd, usermod, userdel, and so on. To determine what authorizations might be appropriate for this role, enter the following command: # grep useradd /etc/rbac/cmd_priv /usr/sbin/useradd:dflt:(hpux.user.add,*):0/0//:dflt:dflt:dflt: In this example, the /usr/sbin/useradd command requires the hpux.user.add authorization. You could assign this authorization directly, or assign hpux.user.* as the authorization. Be careful using wildcards when assigning authorizations. Assigning this authorization actually assigns multiple authorizations: 152 HP-UX Role-Based Access Control # grep hpux.user. /etc/rbac/cmd_priv /usr/sbin/pwgrd:dflt:(hpux.user.cache.admin,*):0/0// :dflt :dflt :dflt : /usr/sbin/userdel:dflt:(hpux.user.delete,*):0/0// :dflt :dflt :dflt : /usr/sbin/groupdel:dflt:(hpux.user.group.delete,*):0/0// :dflt :dflt :dflt : /usr/sbin/useradd:dfl:(hpux.user.add,*):0/0//:dflt:dflt:dflt: /usr/sbin/usermod:dflt:(hpux.user.modify,*):0/0// :dflt :dflt :dflt : /usr/sbin/groupadd:dflt:(hpux.user.group.add,*):0/0// :dflt :dflt :dflt : /usr/sbin/groupmod:dflt:(hpux.user.group.modify,*):0/0// :dflt :dflt :dflt : /usr/sbin/vipw:dflt:(hpux.user.modify,*):0/0// :dflt :dflt :dflt : 8.4.3 Planning Command Mappings Define any commands that are commonly used by any of the defined roles but do not exist in the predefined /etc/rbac/cmd_priv file that is provided. The /etc/rbac/cmd_priv file defines the mapping between authorizations and commands. Determine the following for each command: • • • The full path of the command The necessary authorization to check before running the command Any special privileges needed by the command, for example, euid=0 The strings of text that constitute the operation and object entries in the /etc/rbac/cmd_priv file are arbitrary, but they should correspond logically to a command or set of commands. Consider the following guidelines when planning the authorization to command mappings in /etc/rbac/cmd_priv: • • • • Define operations into logical groups to easily assign the operations to roles. Do not create operation branches with too many (more than 10) or too few (1) child elements. The overall tree should not be overly wide, making it difficult to assign groups of operations, or overly tall, with individual operation names that are long and hard to use. End the last element of an operation name with an action (verb). Define operations so that new commands can be clearly placed when added. See “Configuring Additional Command Authorizations and Privileges” for the procedure to configure additional commands. 8.4.4 HP-UX RBAC Limitations and Restrictions Following is a list of items to consider before deploying HP-UX RBAC: • • • HP-UX RBAC does not support single user mode, therefore the root account should be available during situations when single user mode is needed. Serviceguard does not support the use of HP-UX RBAC and privrun to grant access to Serviceguard commands. See Section 8.6.1.1 for more information about HP-UX RBAC and Serviceguard clusters. As with all applications, HP-UX RBAC is subject to the rules that govern compartments (see Chapter 6). Remember the following when using HP-UX RBAC with Compartments: 8.4 Planning the HP-UX RBAC Deployment 153 — You cannot run privedit on a file that is restricted by a compartment definition. — To provide a different application with fine-grained privileges, the privrun command must be running with those same privileges it wants to provide to the application. By default, privrun is configured to run with all privileges (see getfilexsec(1M) for more information). However, sometimes this default privilege set may be restricted. For example, if a compartment is configured to disallow privileges, this specification prevents privrun from providing the privileges to the application in that compartment because privrun does not have the privileges itself. Note that by default, sealed compartments are configured to disallow the POLICY compound privilege. — For privrun to invoke another application in a compartment, privrun must assert the CHANGECMPT privilege. If privrun cannot assert the CHANGECMPT privilege, for example, if the compartment is configured to disallow privileges, privrun will fail. This behavior is intentional and designed to reinforce the concept of a sealed compartment. 8.5 Configuring HP-UX RBAC Configuring HP-UX RBAC is a three-step process: 1. 2. 3. Configure the roles. Configure the authorizations. Configure any additional commands. IMPORTANT: Authorizations are built-in (hard-coded) to the HP-UX RBAC administration commands and cannot be configured. However, you can configure which roles and users have the required HP-UX RBAC administration command authorizations. HP-UX RBAC administration commands do not need to be wrapped with the privrun command because they are setuid=0. The HP-UX RBAC administration commands run with privileges equal to root regardless of who invokes them. Access control checks limit who can use the HP-UX RBAC administrative commands. See the Authorization section in each of the HP-UX RBAC administrative commands manpages for more information about their authorizations. This Section 8.5 uses the example planning results and users in Table 8-6 to demonstrate the HP-UX RBAC administrative commands and configuration process. 154 HP-UX Role-Based Access Control Table 8-6 Example Planning Results Users Roles Authorizations Typical Commands (Note: Objects Assumed to Be *) chandrika, UserOperator rwang hpux.user.* /usr/sbin/useradd hpux.security.* /usr/sbin/usermod bdurant, prajessh NetworkOperator hpux.network.* /sbin/init.d/inetd luman Administrator hpux.* /opt/customcmd company.customauth 8.5.1 Configuring Roles Configuring roles for users is a two-step process: 1. 2. Create roles. Assign roles to users or groups. 8.5.1.1 Creating Roles Use the roleadm command to create roles and assign them to users or groups. You must first add roles that do not already exist, and then assign users to those roles. The following shows the roleadm command syntax: roleadm add role [comments] | delete role | modify oldrolename newrolename | assign user role | assign "&group" role | revoke user [role] | revoke "&group" [role] | list [user=username][role=rolename][sys] Following is a list and brief description of the roleadm command arguments: add Adds the role to the system list of roles in /etc/rbac/roles. delete Deletes the role from the system list of roles in /etc/rbac/roles. modify Changes role names in all three role-related database files: /etc/rbac/roles, /etc/rbac/user_role, and /etc/rbac/role_auth. assign Assigns a role to a user or group, and updates the /etc/rbac/user_role. revoke Revokes a role from a user or group, and removes the entry from /etc/rbac/user_role. list Lists the valid system roles (sys), or the user-to-role mappings. 8.5 Configuring HP-UX RBAC 155 NOTE: See the roleadm(1m) manpage for more information. Following are two examples of the roleadm command adding new roles: # roleadm add UserOperator roleadm: added role UserOperator # roleadm add NetworkOperator roleadm: added role NetworkOperator NOTE: The default configuration files delivered with HP-UX RBAC contain a single preconfigured role: Administrator. By default, the Administrator role is assigned all HP-UX system authorizations (hpux.*, *) and is associated with the root user. After defining valid roles, you can assign them to one or more users or groups. Attempting to assign a role that has not been created to users will display an error message indicating that the role does not exist. 8.5.1.2 Assigning Roles to Users Separating role creation from role assignment offers the following advantages: • Requiring that roles be created before they are assigned ensures that any typographical errors are caught when specifying role names during role assignment. • Allows different users to perform each task. For example, the same user is not required to both create the roles and assign the roles. After creating valid roles, use the roleadm command to assign them to the appropriate users, as shown in the following examples: # roleadm assign luman Administrator roleadm assign done in /etc/rbac/user_role # roleadm assign rwang UserOperator roleadm assign done in /etc/rbac/user_role After using the roleadm assign command to assign roles to users, you can use the roleadm list command to verify that the roles were assigned correctly, for example: # roleadm list root: Administrator luman: Administrator rwang: UserOperator 156 HP-UX Role-Based Access Control NOTE: HP-UX RBAC offers the ability to add a special user named DEFAULT to the /etc/rbac/user_role database. Assigning a role to the DEFAULT user means any user that does not exist on the system is assigned that role. 8.5.1.3 Assigning Roles to Groups HP-UX RBAC also enables you to assign roles to groups. You can use the roleadm command options that use the user value, such as roleadm assign user role and roleadm revoke user role to administer groups and roles. Assign, revoke, or list group and role information using the roleadm command by inserting an ampersand (&) at the beginning of the user value and enclosing the user value in quotations. The group name value and ampersand (&) must be shell escaped or enclosed in quotations to be interpreted by roleadm. For example: # roleadm assign "&groupname" role 8.5.2 Configuring Authorizations Configuring authorizations is similar to creating and assigning roles. However, authorizations contain two elements: an operation and an object. The * wildcard—the most commonly used object—is the implicit object used if you do not specify an object while invoking the authadm command. In many cases, the object is purposely left unspecified, so that the operation applies to all objects. Leaving the object unspecified is often used for authorizations that apply to wrapped commands because it can be difficult to determine the target of an action from the command name. An example of this object ambiguity is the /usr/sbin/passwd command. The passwd command can operate on a number of repositories, for example, the /etc/passwd file, an NIS table, and an LDAP entry. You cannot determine the actual object by looking at the command line, so it is typically easiest to require that the user have the operation on all objects, for example: (hpux.security.passwd.change, *). NOTE: You can configure a value for the default object. By default, if you do not specify an object, HP-UX RBAC will use the * wildcard as the object. However, if you have configured a value for the RBAC_DEFAULT_OBJECT= parameter in /etc/default/security, HP-UX RBAC will use this value instead of the * wildcard as the default object. Use the authadm command to edit authorization information in the HP-UX RBAC databases. The authadm syntax is similar to the roleadm syntax. Following is the authadm command syntax: authadm add operation[object[comments]] | delete operation[object] | assign role operation[object] | revoke [role=name][operation=name[object=name]] | list [role=name][operation=name[object=name][sys] 8.5 Configuring HP-UX RBAC 157 The following is a list and brief description of the authadm command arguments: add Adds an authorization to the system list of valid authorizations in /etc/rbac/auths. delete Deletes an authorization from the system list of valid authorizations in /etc/rbac/auths. assign Assigns an authorization to a role and adds an entry to /etc/rbac/role_auth. revoke Revokes an authorization from a role and updates /etc/rbac/role_auth. list Lists valid authorizations per system or role, and lists roles associated with the specified operation. IMPORTANT: Be aware that when you assign an authorization that contains the asterisk * character, you must surround the wildcard character with quotation marks to prevent shell interpretation, as shown in the following examples. The following are examples of authorization creation and assignment based on Table 8-6: # authadm add 'company.customauth.*' authadm added auth: (company.customauth.*,*) # authadm assign Administrator 'company.customauth.*' authadm added auth for role Administrator Use the list argument with the authadm command to verify the authorization assignment, for example: # authadm list Administrator: (hpux.*, *) (company.customauth.*, *) 8.5.3 Configuring Additional Command Authorizations and Privileges You must define any additional commands that are not provided in the default configuration. The authorizations needed to run the commands must already exist and must be assigned to a role. If you have not done this, the command will be configured, but no user will be appropriately authorized to use the command. Use the cmdprivadm command to edit a command's authorization and privilege information. The cmdprivadm command works in a similar fashion to roleadm and authadm, but only allows addition and removal of a command privilege and authorization in the privrun database. The following shows the cmdprivadm command syntax: cmdprivadm add cmd=full_path_name_of_a_command | full_path_name_of_a_file |[op=operation]|[object=object] |[ruid=ruid]|[euid=euid] |[rgid=rgid]|[egid=egid] |[compartment=compartment_label] |[privs=comma_separated_privilege_list] 158 HP-UX Role-Based Access Control |[re-auth=pam_service_name] |[flags=comma_separated_flags_list] cmdprivadm delete cmd=full_path_name_of_a_command | full_path_name_of_a_file |[op=operation]|[object=object] |[ruid=ruid]|[euid=euid] |[rgid=rgid]|[egid=egid] |[compartment=compartment_label] |[privs=comma_separated_privilege_list] |[re-auth=pam_service_name] |[flags=comma_separated_flags_list] The following is a list and brief description of the two main cmdprivadm command arguments: add Adds command (or file) authorization information to the /etc/rbac/cmd_priv database. delete Deletes command (or file) authorization information in the /etc/rbac/cmd_priv database. The following example demonstrates the most common cmdprivadm arguments: # cmdprivadm add cmd=/opt/customcmd \ op=companyname.customcommand ruid=0 euid=0 flags=edit \ /opt/customcmd::(companyname.customcommand,*):0/0/-1/-1::::edit cmdprivadm added the entry to /etc/rbac/cmd_priv As shown in the previous example, the cmd_priv file database file contains a field for flag values. Be sure to consider the value of the cmdprivadm flags when configuring command or file authorization and privilege information. The privrun command recognizes one defined flag, KEEPENV. If the KEEPENV flag is set in the cmd_priv file for a particular command, none of the environment variables will be scrubbed when privrun wraps that particular command. For privedit, you can specify flag values to indicate whether or not privedit can edit a file. Additional flag values can be specified to indicate whether privrun can execute a command. The following are the supported flag values: flag=empty or any other token Indicates the file can only be executed and cannot be edited. flag=edit Indicates the file can be both edited and executed. This flag is mainly intended for scripts. flag=noexec Indicates the file cannot be executed and can only be edited with privedit. 8.5 Configuring HP-UX RBAC 159 NOTE: See cmdprivadm(1M) for information on all of the cmdprivadm arguments. Most arguments are optional and are filled in with reasonable defaults if nothing is specified. NOTE: To modify an existing entry in the /etc/rbac/cmd_priv file, you must first delete the entry and then add the updated version back in. When you use cmdprivadm to delete entries, arguments act as filters. For example, specifying the cmdprivadm delete op=foo command removes all entries where the operation is foo. As a result of this, when you use cmdprivadm to delete entries, be careful to ensure that you specify sufficient arguments to uniquely identify the entries to be removed. 8.5.4 Configuring HP-UX RBAC with Fine-Grained Privileges Applications communicate with the system's resources using system calls, allowing the operating system access to system resources. Certain system calls require special, elevated privileges for the application to access the operating system and system hardware. Before fine-grained privileges were available, UID=0 would satisfy as a special, elevated privilege for certain system calls. If the UID was not 0, the system call was denied and an application error returned. HP-UX RBAC and specifically the privrun wrapper command allows non-root users to acquire the level of special privileges or UID=0 required for running certain applications. In addition to providing UID=0 to a non-root user in certain circumstances to run a particular application, HP-UX RBAC can also use the fine-grained privileges to run applications with additional privileges, but without UID=0. You can use HP-UX RBAC to configure commands to run with only a select set of privileges and with different sets of privileges for different users, all without UID=0. For example, an administrator might need to run the foobar command with several privileges, and a normal user might need far fewer privileges to run foobar. Think of fine-grained privileges as "system call access control check keys." Rather than checking for UID=0, the system call checks for a particular privilege. These fine-grained privileges provide the ability to "lock" system calls and to control application access to the operating system and hardware resources. Also, by splitting privileges into finely-grained privileges, applications do not require all privileges to run—only a specific privilege or set or privileges. Should an application process running with a particular set of privileges be compromised, the potential damage is far less than it would be if the process was running with UID=0. NOTE: See privileges(5) for more information fine-grained privileges. Use the cmdprivadm command and the privs option to configure commands for privrun to wrap and run only with the specified privileges. The following is an example cmdprivadm command that configures the /usr/bin/ksh command to run with the 160 HP-UX Role-Based Access Control BASICROOT compound privilege and that requires the (hpux.adm.mount, *) authorization: # cmdprivadm add cmd=/etc/mount op=hpux.adm.mount object='*' privs=BASICROOT The preceding cmdprivadm command creates an entry in the /etc/rbac/cmd_priv file as follows: #-------------------------------------------------------------------------------------------------------# Command : Args :Authorizations :U/GID :Cmpt :Privs :Auth :Flags #----------------:--------:---------------------:------:-------:----------:------:------------------/etc/mount :dflt :(hpux.adm.mount,*) :/// :dflt :BASICROOT :dflt : After you create the entry using cmdprivadm and using privrun to wrap the command,/etc/mount will run with the elevated privilege of the BASICROOT compound fine-grained privilege and without UID=0 if the user has the (hpux.adm.mount, *) authorization. As described in Section 8.6.1, the privrun -p command option matches only the entries in the /etc/rbac/cmd_priv database file that have the privileges specified by the -p option. Be aware when you specify a privilege using the privrun -p option that privrun will match all entries that contain the specified privilege—including groups of privileges and compound privileges that include the -p specified privilege. The privrun command will execute according to the first match in /etc/rbac/cmd_priv. For example, the following is an example privrun -p command and a list of entries the command will match in /etc/rbac/cmd_priv: The command: # privrun -p MOUNT /etc/mount matches the following /etc/rbac/cmd_priv entries: #--------------------------------------------------------------------------------------------------------------# Command : Args :Authorizations :U/GID :Cmpt :Privs :Auth :Flags #----------------:--------:-------------------:------:------:---------------------------------------:-----:----/etc/mount :dflt :(hpux.adm.mount,*) :/// :dflt :PRIV_CHOWN, MOUNT :dflt : /etc/mount :dflt :(hpux.*,nfs) :/// :dflt :MOUNT, PRIV_RTPRIO, PRIV_MLOCK :dflt : /etc/mount :dflt :(hpux.adm.*,*) :/// :dflt :BASICROOT :dflt : 8.5 Configuring HP-UX RBAC 161 NOTE: The privrun -p MOUNT /etc/mount command matches the BASICROOT privilege because the MOUNT simple privilege is part of the predefined BASICROOT compound privilege. See the privileges(5) manpage for more information about simple and compound privileges. IMPORTANT: The sequence of the entries in /etc/rbac/cmd_priv is important because privrun will execute according to the first explicit match it finds. In the preceding example, while all three entries are considered matches to the privrun command, privrun would execute the first entry. Keep the sequence of the entries in mind when configuring commands and authorizations. The cmdprivadm tool adds entries to the bottom of the /etc/rbac/cmd_priv file. 8.5.5 Configuring HP-UX RBAC with Compartments HP-UX RBAC can also use compartments to configure applications to run in a particular compartment. With compartments, you can logically partition a system into compartments so that a process cannot communicate or access resources outside of its compartment (unless a compartment rule is set up to allow this). The following is an example cmdprivadm command that configures the /sbin/init.d/hpws_apache command to run only in the apache compartment, which is defined by the /etc/cmpt/apache.rules compartment rule: # cmdprivadm add cmd='/sbin/init.d/hpws_apache -a start' \ op=hpux.network.service.start object=apache compartment=apache The preceding cmdprivadm command creates an entry in the /etc/rbac/cmd_priv file, as follows: #--------------------------------------------------------------------------------------------------------------# Command : Args :Authorizations :U/GID :Cmpt :Privs :Auth :Flags #-------------------------:--------:------------------------------------:--------------:--------:-------:------/sbin/init.d/hpws_apache :start :(hpux.network.service.start,apache) :/// :apache :dflt :dflt : After you create the entry using cmdprivadm and using privrun to wrap the command, authorized users can execute the /sbin/init.d/hpws_apache -start command, and it will run only in the apache compartment. The compartment tag for the process is changed to apache, and properties of the process will follow the defined apache compartment rules. 162 HP-UX Role-Based Access Control NOTE: Use only the cmdprivadm command to configure compartments for commands. Do not edit the /etc/rbac/cmd_priv database file without using cmdprivadm. To modify an existing entry in the /etc/rbac/cmd_priv file, you must first delete the entry and then add the updated version back in. When you use cmdprivadm to delete entries, arguments act as filters. For example, specifying the cmdprivadm delete op=foo command removes all entries in which the operation is foo. As a result of this, when you use cmdprivadm to delete entries, be careful to ensure that you specify sufficient arguments to uniquely identify the entries to be removed. 8.6 Using HP-UX RBAC This section explains how to run the privrun and privedit commands to operate HP-UX RBAC. 8.6.1 Using the privrun Command to Run Applications with Privileges The privrun command enables a user to run legacy applications with different privileges, according to the authorizations associated with the invoking user. The user invokes privrun, specifying the legacy application as command line arguments. Next, privrun consults the /etc/rbac/cmd_priv database to determine what authorization is required to run the command with additional privileges. If the user has the necessary authorization, privrun invokes the specified command after changing its UID and or GID as specified in the /etc/rbac/cmd_priv database. The following is the privrun command syntax: privrun [options] command [args] | [-u eUID|username] | [-g eGID|groupname] | [-U rUID|username] | [-G rGID|groupname] | [-a (operation, object)] | [-c compartment] | [-p privilege[,privilege,privilege...]] | [-x] | [-v [-v]] | [-h] | [-t] The following list explains each of the privrun command options: -u Matches only those entries containing the effective user ID (EUID) corresponding to the specified EUID or the EUID associated with the username. -g Matches only those entries containing the effective group ID (EGID) corresponding to the specified EGID or the EGID associated with the group name. -U Matches only those entries containing the real user ID (RUID) corresponding to the specified RUID or the RUID associated with the username. 8.6 Using HP-UX RBAC 163 -G Matches only those entries containing the real group ID (RGID) corresponding to the specified RGID or the RGID associated with the group name. -a Matches only those entries requiring the specified authorization. Authorization is defined as (operation, object) pairs in the /etc/rbac/cmd_priv database file. The specified authorization must exactly match the authorization present in the /etc/rbac/cmd_priv file—wildcards are not supported. -c Matches the specified compartment in the /etc/rbac/cmd_priv database file. The specified compartment must exactly match the compartment present in /etc/rbac/cmd_priv. -p Matches the specified privileges with the privileges in the /etc/rbac/cmd_priv database file. You can specify more than one privilege. When specifying multiple privileges, separate each privilege with a comma. Be aware when you specify a privilege using the privrun -p option that privrun will match all entries that contain the specified privilege—including groups of privileges and compound privileges that include the -p specified privilege. The privrun command will execute according to the first match in /etc/rbac/cmd_priv. -x Uses a fall-through mode that modifies the behavior of privrun only when an authorization or authentication check fails. Rather than exiting with an error message, the target command runs, but without any additional privileges. The target command executes as though the user ran the command directly without privrun. -v Invokes privrun in verbose mode. The verbose level increases if two -v options are specified. An increased verbose level prints more information. -h Prints privrun help information. -t Uses a test mode that performs all the normal authorization and authentication checks according to the configuration files to see if the desired privrun invocation will succeed. The only difference is that instead of executing the command, upon success, privrun -t just returns. Use this to preview whether a given privrun invocation will succeed. The following is an example of the most basic privrun usage—wrapping a legacy application. In this case, the ipfstat command runs as a privrun command argument in order to run according to the authorizations associated with the invoking user: # privrun ipfstat As long as the user logged in has the necessary authorization, defined in /etc/rbac/cmd_priv, the privrun wrapper command will execute the legacy command with the privileges (UID and GID) defined in the /etc/rbac/cmd_priv entry. Multiple entries can exist for the same command, potentially with different required authorizations and different resulting privileges. In this case, privrun iterates sequentially through the /etc/rbac/cmd_priv database, executing the first command the user is authorized for. 164 HP-UX Role-Based Access Control In some cases, this may not be ideal. For example, all users may be allowed to run the passwd command to change their own password but if a user administrator runs it, they need the privileges to change other users' passwords. If the entry for all the normal users is listed before the entry for the user administrators, it is executed first, and this might prevent the user administrators from running the more privileged version. For cases like this, privrun has options that allow users to specify the desired privileges. Only entries matching the specified privileges (for example, UID) are used. If no entries match the desired privileges, privrun returns an error message. The following is an example invocation of privrun that matches only entries where the effective UID is set to 0: # privrun -u 0 ipfstat NOTE: See the privrun(1M) and rbac(5) manpages for more about using the privrun command. 8.6.1.1 HP-UX RBAC in Serviceguard Clusters Serviceguard does not support the use of HP-UX RBAC and privrun to grant access to Serviceguard commands. Serviceguard version A.11.16 implemented its own Role-Based Access Control by specifying Access Control Policies through package and cluster configuration files, providing cluster-aware policies for Serviceguard operations. The Serviceguard mechanism must be used for Role Based Access Control of Serviceguard operations. See the latest Managing Serviceguard document for additional details on Serviceguard Access Control Policies. HP-UX RBAC can be used with non-Serviceguard commands in a Serviceguard cluster. The same HP-UX RBAC rules should be applied to all nodes in the cluster. 8.6.2 Using the privedit Command to Edit Files Under Access Control The privedit command allows authorized users to edit files they usually would not be able to edit because of file permissions or ACLs. After you invoke the command and identify the file you want to edit as an argument, privedit checks the /etc/rbac/cmd_priv database, just as privrun does, to determine the authorization required to edit the specified file. If the invoking user is authorized to edit the file, privedit invokes an editor on a copy of the file. NOTE: When you use privedit to invoke an editor to edit a file, the editor does not run with any elevated privileges. Because the editor privedit invokes does not run with elevated privileges, any attempted actions, such as shell escapes, run with the user's typical (non-elevated) privilege set. You can specify which editor privedit uses to edit the file by setting the EDITOR environment variable. If you do not set the EDITOR variable, privedit uses the default editor, vi. You cannot pass arguments to the editor via the privedit command line. 8.6 Using HP-UX RBAC 165 However, the editor recognizes and supports editor-specific environment variables if you set them before invoking privedit. Use a fully qualified file name as a privedit argument to identify which file to edit. If you do not use a fully qualified file name, privedit adds the current working directory to the beginning of the file name you specify. Regardless of how you specify the file to edit, all file names are fully qualified after you invoke privedit. The privedit command also recognizes and supports files that are symbolic links. The privedit command can edit only one file at a time. If you specify multiple file names as privedit arguments, privedit edits the first file specified and ignores the subsequent file names. The following shows the privedit command syntax: privedit [option] fully-qualified-file-name | [-a (operation, object)] | [-v] | [-h] | [-t] | [-x] The following is a list and brief description of the privedit command options: -a authorization Match only the /etc/rbac/cmd_priv file entries with that have the specified authorization. -v Invokes privedit in verbose mode. -h Prints privedit help information. -t Checks if the user has the required authorization to edit the file and reports the results. -x If the authorization check fails, the file will be edited with the caller's original privileges. The following is an example of using a privedit command to edit the /etc/default/security file with the specific authorization of (hpux.sec.edit, secfile): # privedit -a "(hpux.sec.edit, secfile)" /etc/default/security NOTE: Remember that the flag values for each entry in the cmd_priv database dictate whether or not privedit can edit a file. See “Configuring Additional Command Authorizations and Privileges” and the privedit(1M) manpage for more information about flags and using the privedit command. 8.6.3 Customizing privrun and privedit Using the ACPS The HP-UX RBAC feature provides the ability to customize how privedit and privrun check user authorizations. The ACPS module is a customizeable interface that provides responses to applications that must make authorization decisions. The ACPS configuration file, /etc/acps.conf, controls the following aspects of the ACPS: 166 HP-UX Role-Based Access Control • which modules are consulted for making access decisions • the sequence in which the modules are consulted • the rules for combining module responses to return results to applications See Section 8.3.1, and acps.conf(4), acps(3), and rbac(5) for more information about the ACPS. 8.6.4 Generating Keystroke and Command Logs An authorized user can generate "keystroke logs" for selected users, as well as generate a log of commands invoked through RBAC without the need for the HP-UX audit system. This section describes these features: • Keystroke logging • Alternate logging 8.6.4.1 Keystroke Logging In many situations, it is sufficient to simply log the set of privilege commands invoked by a user. RBAC has supported this functionality since its initial release with the HP-UX audit system. There are some situations, however, where this coarse level of logging is insufficient. For example, there are some legislative compliance regulations that require that all actions performed by an administrator are logged, not just the privileged actions. There are situations where it is desirable to only log in the event that certain files or objects are accessed. And there are situations where selected users are granted "unconstrained root privileges", such as a root shell under the caveat that all of their actions are logged. These uses are granted maximum administrative flexibility. Keystroke logging enhances the logging capability. RBAC provides a PAM module that you can configure to log a user's entire terminal session, or relevant parts of a session based on keyword "triggers". You can customize this keystroke logging policy to capture session logs for particular users, roles, and groups. In order to enable this functionality, an administrator must perform the following steps after installing the RBAC product depot: 1. Create an entry (or entries) in the PAM configuration file (/etc/pam.conf) including the keystroke library as a session module: login dtlogin sshd rcomds OTHER 2. session session session session session optional optional optional optional optional libpam_keystroke.so.1 libpam_keystroke.so.1 libpam_keystroke.so.1 libpam_keystroke.so.1 libpam_keystroke.so.1 Note that this module may be configured for one or more services, depending on the intended effect of the logging. For more information on pam.conf and the syntax of the entries, see pam.conf(4). Enable keystroke logging in /etc/rbac/rbac.conf: 8.6 Using HP-UX RBAC 167 KEY_STROKE_LOGGING = 1 3. Create a keyfilter file under /etc/rbac specifying what users to log. For more information on customizing specific policies, see key_filter(4m). Once these steps are completed, subsequent access by the targeted users will cause a keystroke log file to be generated and stored in the location specified in /etc/rbac/rbac.conf file. Note that in the event that a user has privileged access to this location (for example, they are granted a root shell), they may be able to modify these files. In this situation, HP recommends that modification of the files be monitored (for example, by HP-UX Host IDS) or that they periodically be transferred off-host. NOTE: login. The keystroke logging feature does not currently work with Secure Shell (SSH) 8.6.4.2 Alternate Logging The alternate logging feature enables you to log access control events and RBAC-invoked commands. It is no longer necessary to enable HP-UX auditing to generate RBAC logs. An administrator can enable RBAC logging and specify the location of the alternate logging files simply by editing the /etc/rbac/rbac.conf file. For more information on the specific keyword/value pairs, see rbac_conf(4m). Alternate logging works in an identical fashion to the audit logging and may be configured using the /etc/rbac/aud_filter file. The traditional RBAC audit log generation continues to work. If both auditing and logging are enabled, two sets of logs will be generated. 8.7 Troubleshooting HP-UX RBAC The following is a list of the primary mechanisms used to troubleshoot and debug HP-UX RBAC: • • The rbacdbchk utility verifies HP-UX RBAC database syntax. The privrun -v command reports additional and relevant information. 8.7.1 The rbacdbchk Database Syntax Tool The most common bugs are caused by manual editing of the HP-UX RBAC databases, resulting in syntactically invalid configurations or in configurations that are inconsistent between databases (for example, a role in /etc/rbac/user_role that is not defined in /etc/rbac/roles). To assist in diagnosing these common mistakes, HP-UX RBAC includes an rbacdbchk command. This command reads through the HP-UX RBAC databases and prints warnings where incorrect or inconsistent configuration entries are found: # rbacdbchk [/etc/rbac/user_role] chandrika: UserOperator invalid user The value 'chandrika' for the Username field is bad. 168 HP-UX Role-Based Access Control [/etc/rbac/cmd_priv] /opt/cmd:dflt:(newop,*):0/0//:dflt:dflt:dflt: invalid command: Not found in the system The value '/opt/cmd' for the Command field is bad. [Role in role_auth DB with no assigned user in user_role DB] Rebooter:(hpux.admin.*, *) [Invalid Role in user_role DB. Role 'UserOperator' assigned to user 'chandrika' does not exist in the roles DB] On a correctly configured system, the rbacdbchk command produces no output, indicating no errors are present. 8.7.2 privrun -v Information The second method for detecting problems is to run the privrun command with the -v option (verbose mode). In verbose mode, privrun provides additional information about the entries that the input command matched and the status of the authorization checking, as well as other relevant data. In many cases, this output clarifies the issue causing privrun to fail. Specify the -v option multiple times for additional levels of verbose output. The following is an example of the privrun -v output with the ipfstat command: # privrun -v /sbin/ipfstat privrun: user root intends to execute command /sbin/ipfstat privrun: input entry: '/sbin/ipfstat:dflt:(,):///:dflt:dflt::' privrun: found matching entry: '/sbin/ipfstat:dflt:(hpux.network.filter.readstat,*):0/0//:dflt:dflt::' privrun: passed authorization check privrun: attempting to set ruid/euid/rgid/egid to 0/0/-1/-1 privrun: current settings for ruid/euid/rgid/egid are 0/0/3/3 privrun: executing: /sbin/ipfstat 8.7 Troubleshooting HP-UX RBAC 169 170 9 Audit Administration The purpose of auditing is to selectively record events for analysis and detection of security breaches. The audit data is recorded in log files. Thus, the auditing system acts as a deterrent against system abuses and exposes potential security weaknesses. The auditing system records instances of access by subjects to objects on the system; it detects any (repeated) attempts to bypass the protection mechanism and any misuses of privileges; it also helps in exposing potential security weaknesses in the system. When a user logs in, a unique audit session ID called "audit tag" is generated and associated with the user's process. The audit tag remains the same during each login session. Even if a user changes identity within a single session, all events are still recorded with the same audit tag and accountable under the original login user's name. Audit records are generated for selective security related system events. Each audit record contains information about the event, such as what the event was, when it occurred, the ID of the user who caused it, the ID of the process that caused it and so on. Audit records are collected in audit logs/files in binary format. The HP-UX Auditing system on the HP-UX 11i v3 release is capable of using more than one writer thread to log data. Each writer thread writes to one file, allowing an audit trail to be written in parallel by multiple kernel threads and hence potentially increasing the throughput of the system. As a result, an audit trail is present on the file system as a directory with multiple audit files in it. The records in the audit trail are compressed to save disk space. When a process is audited the first time, a process identification record (PIR) is written into the audit trail containing information that remains constant throughout the lifetime of the process. The PIR includes the process ID, the parent process' ID, audit tag, real user ID, real group ID, effective user ID, effective group ID, group ID list, effective, permitted, and retained privileges, compartment ID, and the terminal ID. The PIR is entered only once per process per audit trail. This • • • • • • • • • chapter discusses the following topics: Auditing components (Section 9.1) Auditing your system (Section 9.2) Auditing users (Section 9.3) Auditing events (Section 9.4) Audit trails (Section 9.5) Audit filtering tools (Section 9.6) Using filter.conf (Section 9.7) Audit reporting tools (Section 9.8) Viewing audit logs (Section 9.9) 171 • • Self-auditing (Section 9.10) HP-UX RBAC auditing (Section 9.11) 9.1 Auditing Components The auditing feature of HP-UX 11i contains configuration files, commands, and manpages. These are listed in the following sections. 9.1.1 Commands Table 9-1 contains a brief description of each auditing command. Table 9-1 Audit Commands Command Description audevent Changes or displays event or system call status. audfilter Loads, clears, and displays the audit filtering policy. auditdp Selectively reads and writes audit data, converting the data format in the process. audisp Displays the audit records. audomon Sets the audit file monitoring and size parameters. audsys Starts and stops auditing; sets and displays audit file or directory information. userdbset Selects users to be audited. 9.1.2 Audit Configuration Files Table 9-2 contains a brief description of each configuration file associated with the audit feature. Table 9-2 Audit Configuration Files File Description /etc/audit/audit.conf File containing pre-defined event classification information. /etc/audit/ audit_site.conf File containing site-specific event classification information. /etc/default/security File containing system-wide auditing defaults. 172 /var/adm/userdb Database containing per-user audit information. /etc/rc.config.d/ auditing File containing configuration information directing audit to start at system reboot. /etc/audit/ filter.conf File containing rule-based audit filtering policy. Audit Administration 9.1.3 Audit Manpages Table 9-3 contains a brief description of each manpage associated with the auditing feature. Table 9-3 Audit Manpages Manpage Description audevent(1M) Describes audevent functionality and syntax. audisp(1M) Describes audisp functionality and syntax. audomon(1M) Describes audomon functionality and syntax. audsys(1M) Describes audsys functionality and syntax. userdbset(1M) Describes userdbset functionality and syntax. audit.conf(4) Describes the /etc/audit/audit.conf file. audit(5) Gives introductory information about HP-UX auditing. audfilterd(1M) Describes the service daemon, audfilterd, that manages the audit pre-filtering policy. audfilter(1M) Describes the tool that configures the audit pre-filtering policy. filter.conf(4) Describes the file containing the rule-based audit pre-filtering policy. auditdp(1M) Describes the audit data processing tool. audit_dpms_api(3) Describes the Audit DPMS application programming interface. audit_dpms_spi(3) Describes the Audit DPMS Service Provider Interface. audit_dpms_filter(4) Describes the configuration file for filtering Audit DPMS data. audit_dpms(5) Describes the Audit Data Process Module Switch. audit_hpux_portable(5) Describes the Audit DPMS service module for managing portable format audit data. audit_hpux_raw(5) Describes the Audit DPMS service module for managing HP-UX raw audit data. audit_hpux_xml(5) Describes the Audit DPMS service module for generating XML format audit data. 9.2 Auditing Your System Use the following procedures to plan, enable, and monitor auditing on your system. 9.2.1 Planning the Auditing Implementation To plan the auditing implementation, follow these steps: 9.2 Auditing Your System 173 1. 2. Determine which users to audit. By default, all users are selected for auditing. Determine which events or system calls to audit. Use the audevent command to display a list of events and system calls that are currently selected for auditing. Events and system calls can be grouped into profiles. For more information on profiles, see Section 9.4. 3. 4. Decide where you want to place the audit log files (audit trails) on the system. For more information on configuring the audit log files, see Section 9.5. Create a strategy to archive and back up audit files. Audit files can take up a considerable amount of disk space and can overflow the file system partition if you do not carefully plan file management. Use the -X option with the audomon command to automate archiving. For additional information about auditing system performance and administration that can help you plan the auditing implementation, see Section 9.2.5 and Section 9.2.6. 9.2.2 Enabling Auditing To enable auditing on the system, follow these steps: 1. 2. Configure the users you want to audit using the userdbset command. For more information on configuring auditing for users, see Section 9.3. Configure the events you want to audit using the audevent command. For example, to audit according to MySitePolicy, enter the following command: # audevent -P -F -r MySitePolicy MySitePolicy must be defined in the /etc/audit/audit_site.conf file. Use the audevent command with no options to display a list of events and system calls that are currently configured for auditing. For more information on configuring auditing for events, see Section 9.4. 3. Set the audevent argument parameters in the /etc/rc.config.d/auditing file to enable the auditing system to retain the current configuration parameters when the system is rebooted. For example to retain the parameters configured in step 2, set the parameters as follows: AUDEVENT_ARGS1 = –P –F –r MySitePolicy 4. Start the auditing system and define the audit trail(s) using the audsys command: #audsys -n -c primary_audit_file -s 1000 For more information on configuring audit trails, see Section 9.5.1. 5. 174 Set up the log files and log file switch parameters in the /etc/rc.config.d/ auditing file. Follow these steps: a. Set PRI_AUDFILE to the name of the primary audit log file. b. Set PRI_SWITCH to the maximum size of the primary audit log file (in KB), at which audit logging switches to the auxiliary log file. Audit Administration c. Set SEC_AUDFILE to the name of the auxiliary log file. d. Set SEC_SWITCH to the maximum size of the secondary audit log file (in KB). For more information about setting up primary and auxiliary audit log files, see Section 9.5. 6. Start the audomon daemon if it has not yet been started. The audomon daemon monitors the growth of the current audit trail and switches to an alternative audit trail whenever necessary. For example: #audomon -p 20 -t 1 -w 90 -X "/usr/local/bin/rcp_audit_trail hostname" 7. 8. For more information about configuring the audomon daemon, see Section 9.5.2 Set the audomon argument parameter in the /etc/rc.config.d/auditing file to retain the current settings across system reboots. Set the AUDITING flag to 1 in the /etc/rc.config.d/auditing file to enable the auditing system to automatically start when the system is booted. 9.2.3 Disabling Auditing To disable auditing on the system, follow these steps: 1. Stop system auditing using the following command: # audsys -f 2. 3. Set the AUDITING flag to 0 in the /etc/rc.config.d/auditing file to prevent the auditing system from starting when the system is rebooted. (Optional) To stop the audomon daemon, enter: # kill `ps -e | awk '$NFS~ /audomon/ {print $1}'` Only use this step if you want to reconfigure the audomon daemon. To reconfigure and restart the audomon daemon, follow step 6 and step 7 as described in Section 9.2.2. 9.2.4 Monitoring Audit Files To view, monitor, and administer the audit files, follow these steps: 1. View the audit log files with the audisp command: # audisp audit_file See “Viewing Audit Logs” for details on using the audisp command. 2. 3. Set the audit log file monitor arguments in the /etc/rc.config.d/auditing file. (Optional) Stop system auditing using the following command: 9.2 Auditing Your System 175 #audsys -f The audsys -f command lets you stop the system auditing while keeping the audomon daemon running. 4. (Optional) Set the AUDIT flag to 0 in the /etc/rc.config.d/auditing file to keep the auditing system from starting at the next system reboot. 9.2.5 Performance Considerations Auditing increases system overhead. When performance is a concern, be selective about what events and users are audited. This can help reduce the impact of auditing on performance. 9.2.6 Guidelines for Administering the Auditing System Use the following guidelines when administering the system: • • • • • • • • Check the audit logs according to the security policy. For example, a security policy might state that an online audit file should be retained for at least 24 hours and all audit records stored offline should be retained for a minimum of 30 days. Review the audit log for unusual activities, such as: late hours login, login failures, failed access to system files, and failed attempts to perform security-relevant tasks. Prevent the overflow of the audit file by archiving daily. Revise current selectable events periodically, especially after installing new releases of HP-UX, since new system calls are often introduced in new releases. Revise audited users periodically. Do not follow any pattern or schedule for event or user selection. Set site guidelines. Involve users and management in determining these guidelines. If the audit data volume is expected to be high, configure audit trails on a logical volume consisting of multiple physical disks and multiple physical I/O cards. Use the -N option with audsys command to split the audit trail into multiple files. 9.3 Auditing Users By default, when system auditing is on, all users are audited. New users added to the system are automatically audited. You can monitor what users are doing on HP-UX systems by inspecting the audit trail. To change which users are audited, choose one of the following options: • Audit all users. Perform the following steps to enable auditing for all users: 1. Set AUDIT_FLAG=1 in the /etc/default/ security file to enable auditing globally for all users. 2. Run the command userdbget -a | grep AUDIT_FLAG=0 to determine for which users, if any, auditing is disabled on a per-user basis. Then run the 176 Audit Administration command userdbset -u user AUDIT_FLAG=1 or userdbset -d -u user AUDIT_FLAG for each of those users. By default, auditing is enabled for all users when the audit system is turned on. New users added to the system are automatically audited. If auditing is turned off for all users, set AUDIT_FLAG=1 in the /etc/default/ security file. • Do not audit any users. Perform the following steps to disable auditing for all users: 1. Set AUDIT_FLAG=0 in the /etc/default/ security file to disable auditing globally for all users. 2. Run the command userdbget -a | grep AUDIT_FLAG=1 to determine for which users, if any, auditing is enabled on a per-user basis. Then run the command userdbset -u user AUDIT_FLAG=0 or userdbset -d -u user AUDIT_FLAG for each of those users. • Audit specific users. Perform the following steps to enable auditing for only certain users: 1. Set AUDIT_FLAG=0 in the /etc/default/ security file to disable auditing globally for all users. 2. Run the command userdbget -a | grep AUDIT_FLAG=1 to determine for which users, if any, auditing is enabled. To disable auditing for any of those users listed as being audited, run the command userdbset -u user AUDIT_FLAG=0 or userdbset -d -u user AUDIT_FLAG. To enable auditing for those users with no per-user AUDIT_FLAG attribute set, run the command userdbset -u user AUDIT_FLAG=1. If the audit system is not already enabled, use the audsys -n command to start the auditing system. Auditing changes take effect at the user's next login. 9.4 Auditing Events An event is an action with security implications, such as creating a file, opening a file, or logging in to the system. You can audit events on an HP-UX system to enhance security by detecting possible breaches. However, the more events you choose to audit, the more system resources are used and the greater the impact on system performance. The security architect must determine which events to audit based on business needs and any applicable government regulations. The audevent command is used to specify system activities (auditable events) that are to be audited. Auditable events are classified into event categories and profiles for easier configuration. A profile consists of a set of operations (event categories, self-auditing 9.4 Auditing Events 177 events, and system calls) that affect a particular type of system. An event category consists of a set of operations (self-auditing events and system calls) that affect a particular aspect of the system. Once an event category or a profile is selected, all system calls and self-auditing events associated with the event category or profile are selected. When the auditing system is installed, a default set of event classification information is provided in the /etc/audit/audit.conf file. Additional, site-specific classifications and profiles may also be defined in the /etc/audit/audit_site.conf file. NOTE: HP recommends that you audit the following event categories at a minimum: • admin event • login event • moddac self-auditing event • execv, execve • pset event These event categories are predefined as the basic profile in the /etc/audit/ audit.conf file. Configure the events you want to audit before you turn on the auditing system. The syntax for the audevent command is as follows: # audevent [options] Changes made by running the audevent command take effect immediately. The following options are commonly used with the audevent command: Table 9-4 audevent Command Options audevent options Description -e event Specifies an event to log. -F Logs unsuccessful event operations. -l Displays a complete list of event categories and associated system calls. -P Logs successful event operations. -r profile Specifies the profile of events to log. Profiles are defined in the /etc/audit/ audit.conf file. -S or -s system_call Changes event or system call audit status. no option Displays the current status of the selected events or system calls. To configure the admin, login, and modaccess event categories for auditing, enter the following command: # audevent -P -F -e admin -e login -e moddac 178 Audit Administration To configure the events associated with the basic profile for auditing, use the following command: # audevent -P -F -r basic Both Audit Success and Audit Failure are set as event types for monitoring successful and failed events or system calls. Monitoring these three event categories is the minimum event type selection recommended for running a system. Generally, a record is written only if both the event is selected for auditing, and the user initiating the event has been selected for auditing. However, it is expected that some records may still be generated at the time user starts a session and ends a session, even if the user is not selected for auditing. Those records are considered system-wide information that are based on event selection instead of user selection. Programs that do self-auditing can choose to ignore the user selection, but this is not recommended. 9.5 Audit Trails All auditing data is written to an audit trail. In regular mode, an audit trail is stored on a file system in one or more log files that reside in the same directory. The number of log files is directly proportional to the number of kernel threads that are configured for logging audit records (see the audsys -N option). All the files in the directory are needed for meaningful analysis or display. Contrary to regular mode, a compatibility mode is also provided in the HP-UX 11i version 3 release to generate audit trail that is stored in a single file. The compatibility mode is solely supported for backward compatibility and will be obsolete in releases after HP-UX 11i Version 3. See audsys(1M) for more information. When the auditing system is enabled, there must be at least one audit trail pathname specified. The trail pathname and various attributes for the trail can be specified using the audsys command. When the current trail exceeds a predefined capacity (its Audit File Switch (AFS) size), or when the auditing file system on which it resides approaches a predefined capacity (its File Space Switch (FSS) size), the auditing subsystem issues a warning. When either the AFS or the FSS is reached, the auditing subsystem looks for an auxiliary trail. If one is available, recording is switched to the auxiliary trail. If no auxiliary trail is specified, the auditing subsystem creates a new audit trail with the same base name but a different timestamp extension and begins recording to it. The audomon command can be invoked with an option (-X) that specifies a command line to run after a successful audit trail switch to perform some action. Depending on site-specific needs, the command may perform audit trail backup, archival, off site transfer, cleaning up or data reporting. If the audit trail switch is unsuccessful, warning messages are sent to request appropriate administrator action and the current audit trail continues to grow. 9.5 Audit Trails 179 NOTE: 1. With HP-UX 11i version 3, an auxiliary audit trail does not need to be specified; the auditing system does switching of audit trails automatically. 2. If autoswitching failed and the current audit trail continues to grow past the FSS point, all auditable actions are suspended for regular users. The system can be restored by archiving the audit data, or specifying a new audit log file on a file system with space. 3. If other activities consume space on the file system, or the file system chosen has insufficient space for the AFS size chosen, the File Space Switch point can be reached before the Audit File Switch point. Choose a file system with adequate space for the audit log files. You can assess the size of the file systems using the bdf command. HP recommends you configure the log files to reside on a file system with at least 5 MB of available space and with at least 20% of its total file space available. The growth of audit log files is closely monitored by the audit overflow monitor daemon, audomon, to insure that no audit data is lost. 9.5.1 Configuring Audit Trails Use the audsys command to specify the primary audit log file and the (optional) auxiliary audit log file to collect auditing data: #audsys -n -N2 -c my_audit_trail -s 5000 This example starts the audit system and records data in the my_audit_trail directory, using two writer threads. The AFS size is set to 5000K bytes. The audsys command recognizes the following options: -c file|directory Specifies a "current" trail. -f Turns off the auditing system. -n Turns on the auditing system. -N num Specifies the number of active files that comprise an audit trail. -s cafs Specifies cafs, the "current" trail's AuditFileSwitch (AFS) size (in kbytes). -x Specifies the "next" audit trail. file|directory -z xafs Specifies xafs, the "next" trail's AuditFileSwitch (AFS) size (in kbytes). For more information, see audsys(1M) . 180 Audit Administration 9.5.2 Monitoring and Managing Audit Trails The audit overflow monitor daemon (audomon) is used to monitor and manage audit trails. The audomon daemon is started automatically when auditing is started at system boot time (AUDITING=1 in /sbin/init.d/auditing). The audomon daemon can also be started by a privileged user. Once started, the audomon daemon monitors the capacity of the current audit trail and the file system it resides on. The following is an example of how to start the audomon daemon: # audomon -p 20 -t 1 -w 90 -X "/user/local/bin/rcp_audit_trail hostname" This command starts the audomon daemon with the following behavior, assuming the auditing system was started with the following command: # audsys -n -N 2 -c /var/.audit/my_trail -s 400 • • • audomon sleeps at least one minute intervals When the size of the current audit trail reaches 4500 Kb, or the file system that the audit trail resides becomes 80% full, the audomon daemon stops recording data to the current audit trail and starts recording a new audit trail: /var/.audit/my_trail.yyyymmddHHMM After the switch to the new audit trail succeeds, the audomon daemon invokes the following command: sh -c "/usr/local/bin/rcp_audit_trail hostname /var/.audit/my_trail" This script is site specific and may be used to copy the old audit trail, perform data backup or archival functions, and create audit reports. For more information about the audomon daemon, see audomon(1). CAUTION: • If the file system containing the audit trail is full, any non root process that generates audit data will block inside the kernel. Also, if a non root process is connected to the system terminal, it will be terminated. For details see the WARNINGS section of audsys(1M). • The root file system should not be used for storing audit trails to avoid filling up the root file system and causing processes to fail or hang. TIP: HP recommends that you write a script to carry out your long term strategy for data storage and pass it to the audomon daemon using the -X option. The audomon command recognizes the following options: -p fss The minimum percentage of space left on the file system that contains the primary audit log file before the auditing system switches to the auxiliary log file. The default fss value is 20%. 9.5 Audit Trails 181 -t sp_freq The minimum wakeup interval, in minutes, at which the system prints warning messages on the console for audit log file switch points. The default sp_freq value is 1 minute. -w warning The percentage of audit log file space used or minimum file system free space used after which warning messages are sent to the console. The default warning value is 90%. -X command The command is executed each time the audomon switches the audit trail. For more information, see audomon(1M). 9.6 Using the Audit Filtering Tools The audit filtering tools are a set of tools that helps customize and enforce the audit data pre-filtering policy on the system. A good pre-filtering policy is an efficient way to control the size and quality of the raw data and therefore minimizes the performance impact of auditing and reduces the operational cost associated with audit data management. The audit filtering tools consist of the following main components: • A configuration tool, audfilter, that interprets the filtering policy as specified in the configuration file, filter.conf, and puts the policy into effect. You can also use audfilter to display or clear out the filtering policy that is currently in effect. • A service daemon, audfilterd, that handles service requests from audfilter. It also tracks the mounted file system changes and makes sure the filtering policy is up to date with the new mounted file system information. • A dynamic loadable kernel module, audit_filters, that makes filtering decisions and enforces the filtering policy in the kernel. The following options are available with the audfilter command: 182 -c Puts the current rule-based audit filtering policy as specified in /etc/audit/filter.conf into effect. Rules are parsed into an efficient internal format. Note that a given set of rules may be expressed in many different ways, but they are all parsed into the same internal format. A success or failure status will be reported for the request. -C compartment Only displays the filtering rules for the specified compartment. This option must be specified with the -p or -P option. -c system_call Displays the selected system call. -m mntpnt Only displays the filtering rules for the specified mount point. This option must be specified with the -p or -P option. -p Displays the audit filtering policy currently in effect. The rules are not displayed the same way as they were written, but in the order they are evaluated (that is, in the internal format). Audit Administration -P Displays audit filtering policy in preview mode as specified in the /etc/audit/filter.conf file. This option parses the /etc/audit/filter.conf file, checking for syntax and semantic errors, but makes no changes to the system. The rules will not be displayed the same way as they are written, but in the order they will be evaluated (that is, in the internal format). -s syscall Restricts the display to the given system call. This option must be used with the -p or -P option. -z Clears the audit filtering policy currently in effect. Upon success, it effectively disables finer grained audit filtering feature. For more information, see audfilter(1M) 9.7 Using filter.conf The filter.conf file contains rule-based audit filtering policy that the auditing subsystem uses to determine what activities to audit on the system. Each rule consists of two parts: a scope and a condition. All rules together represent a policy. A scope is an identifier for a mounted file system (also called a partition) for file operations, or an identifier for non-file operations. The scope can be any of the following forms: a. The absolute pathname of a mount point that matches one of those in the /etc/mnttab file. b. A pair of major and minor device numbers. c. Special file name or a pair of hostname and pathname of the directory on the remote host. d. Scope in the form of a), b), or c), followed by the keyword all. e. Scope in the form of a), b), or c), followed by the keyword other. f. Scope in the form of the keyword other-objects. See filter.conf(4) for more information. 9.8 Using the Audit Reporting Tools The audit reporting tools are a set of tools that facilitates the processing of previously collected HP-UX raw audit data and extracts useful information for compliance reporting purposes. The audit reporting tools consist of the following main components: • • An audit data processing tool, auditdp, that selectively extracts audit data from a data source in one of several possible formats and writes the data to the target, in the same or different format. An Audit Data Process Module Switch (Audit DPMS) framework that offers the ability to selectively access audit data in various formats through a set of common programming interfaces. 9.7 Using filter.conf 183 • • • • An Audit DPMS service module, audit_hpux_raw, that reads raw audit data collected by the HP-UX auditing system. An Audit DPMS service module, audit_hpux_portable, that handles audit data that is portable across HP-UX systems, and good for retention purpose. Also a sample script, audit_p2l, that demonstrates how to convert the portable data into syslog-like messages. An Audit DPMS service module, audit_hpux_xml, that converts audit data into XML format. Also a sample script, audreport_generator, that demonstrates how to use the auditdp command and the XSLT stylesheets to generate a collection of web-based audit reports for regulation compliance purposes. Sample audit report configuration templates for PCI and SOX that work with the audreport_generator script. The following options are available with the auditdp command: -M module [target] Write audit data to the target using the specified Audit DPMS service module. The target is the pathname of a file where to write the data. The file must not already exist. If the target is omitted, auditdp writes the audit data to the standard output. -O option Specify the options (case insensitive) to be passed to the Audit DPMS framework when writing to the target. -P [target] Write audit data in portable format. Portable format audit data can be ported from system to system and is the recommended format for retention purposes. The target is the pathname of a file where to write the data. The file must not already exist. If the target pathname is not absolute, then the target is assumed to be relative to the current directory. If the target is omitted, auditdp writes the audit data to the standard output. -S filter_file Selectively process audit data based on the Audit DPMS configuration file specified in filter_file. Only the audit data matching the filtering criteria will be included in the target output. -X [target] Write audit data in Extensible Markup Language (XML) format. The target is the pathname of a file where to write the data. The file must not already exist. If the target pathname is not absolute, the pathname is assumed to be relative to the current directory. If the target is omitted, auditdp writes the audit data to the standard output. Applying Extensible Stylesheet Language Transformations (XSLT) stylesheets to the resulting XML document generates "human-readable" web-based audit reports. 184 Audit Administration -m module[source] Read audit data from the source using the specified Audit DPMS service module. The source is the pathname of a file where to read the data. If the source is omitted, auditdp reads the audit data from the standard input. -n nevents Specify the number of events to display. If nevents is positive, process only the first nevents events. If nevents is negative, process only the last nevents events. If -n is not specified, all events are processed. -o options Specify the option (case insensitive) to be passed to the Audit DPMS framework when reading from the source. To specify more than one option, use -o multiple times, or set option to a quoted string containing a list of options separated by spaces. -p [source] Read portable format audit data. The source is the pathname of a file where to read the data. If the source pathname is not absolute, the pathname is assumed to be relative to the current directory. If the source is omitted, auditdp reads the audit data from the standard input. -r [source] Read HP-UX raw audit data that was collected by the HP-UX auditing system (see audit(5)). The source specifies the pathname to a file if the data was collected in compatibility mode, or to a directory if the data was collected in regular mode. If the source pathname is not absolute, the pathname is assumed to be relative to the current directory. -s filter_string Selectively process audit data based on the filter expression specified in the filter_string. For more information, see auditdp(1M) 9.8.1 Examples of Using the auditdp Command The following examples show audit information displayed using the auditdp command: • Read raw data from audit_trail and write portable data to ./portable. #auditdp -r /var/.audit/audit_trail -P portable • Read raw data and write data in the audisp display format to stdout (see Section 9.9). #auditdp -r /var/.audit/audit_trail • Read portable data and display only the last four events to stdout. #auditdp -p portable -n -4 • Read and then write portable data, saving only the login events. 9.8 Using the Audit Reporting Tools 185 #auditdp -p portable -P portable2 -s "+event=login" • Extract exec events from a particular session and write to stdout: #auditdp -r /var/.audit/audit_trail -s "+sid=1234" -P | \ auditdp -p -s "+event=exec" or #auditdp -r /var/.audit/audit_trail -s "+sid=1234;+event=exec" 9.9 Viewing Audit Logs Auditing can generate a significant amount of data. Use the audisp command to select the data that you want to view: #/usr/sbin/audisp audit_trail NOTE: The audisp command will be obsolete in a future release. Invoking /usr/sbin/auditdp -r audit_trail produces the same output as /usr/sbin/audisp audit_trail. The following options are available with the audisp command: -f Displays failed events only. -p Displays successful events only. -c system_call Displays the selected system call. -t Display events that occurred after the given time. -s Displays events that occurred before the given time. -u user-name Displays information for a specific user. -l terminal-name Displays information for a specific terminal. -e event-name Displays information for the given event. > file-name Writes output to specified file. It can take a few minutes to prepare the record for viewing when working with large audit logs. When viewing the audit data, be aware of the following anomalies: • • • Audit data can appear inaccurate when programs that call auditable system calls supply incorrect parameters. The audit data shows what the user program passed to the kernel. For example, calling the kill system call with no parameters produces unpredictable values in the parameter section of the audit record. System calls that take file name arguments may not have device and inode information properly recorded. The values will be -1 if the call does not complete successfully. Auditing the superuser while changing the event or system call audit parameters will result in a long audit record. For example, when you add an event type to be audited, 186 Audit Administration a record will be produced for each event type and system call that has been enabled for audit, not just for the new event type being added. 9.9.1 Examples of Using the audisp Command The following examples show audit information displayed using the audisp command: • Display the log output on the screen: #/usr/sbin/audisp audit_trail • Direct the log output to /tmp/mylogoutput: #/usr/sbin/audisp audit_trail > /tmp/mylogoutput • View successful events only: #/usr/sbin/audisp -p audit_trail • View activities owned by user joe: #/usr/sbin/audisp -u joe audit_trail • View activities on terminal, ttypa: #/usr/sbin/audisp -l ttypa audit_trail • View login events only: #/usr/sbin/audisp -e login audit_trail 9.10 Self-Auditing Some processes invoke a series of actions that can be audited. To reduce the amount of audit log data collected and to provide for more meaningful notations in the audit log files, some of these processes are programmed to suspend auditing of the actions they invoke and produce one audit log entry describing the process that occurred. Processes programmed in this way are called self-auditing programs; using self-auditing programs streamlines audit log data. NOTE: The list of self-auditing processes varies from system to system. Self-auditing processes The following processes have self-auditing capabilities: chfn Change finger entry chsh Change login shell login The login utility newgrp Change effective group passwd Change password 9.10 Self-Auditing 187 audevent Select events to be audited audisp Display the audit data audsys Start or halt the auditing system audusr Select users to be audited init Change run levels, users logging off lpsched Schedule line printer requests fbackup Flexible file backup ftpd File transfer protocol daemon remshd Remote shell server daemon rlogind Remote login server daemon telnetd Telnet server daemon privrun Invokes legacy application.1 privedit Allows authorized users to edit files.1 roleadm Edits role information.1 authadm Edits authorization information.1 cmdprivadm Edits command authorizations and privileges.1 Most self-auditing programs generate audit data under a single event category. For example, the audsys command generates the audit data under the admin event. Some commands generate audit data under multiple event categories. For example, the init command generates data under the login and admin events. 9.11 HP-UX RBAC Auditing The privrun, privedit, roleadm, authadm, and cmdprivadm HP-UX RBAC commands each generate audit records. The following attributes are included in each audit record: • User name • UID • Role • Authorizations (operation, object) • Time of event • Result of event (success or failure) 9.11.1 Auditing Based on HP-UX RBAC Criteria and the /etc/rbac/aud_filter File HP-UX RBAC Version B.11.23.02 and later support the use of an audit filter file to identify specific HP-UX RBAC criteria to audit. You can create a filter file named /etc/rbac/aud_filter to identify specific roles, operations, and objects for which 1. See Chapter 8 for more information. 188 Audit Administration to generate audit records. Audit records are generated only if the attributes of a process match all three entries (role, operation, and object) found in /etc/rbac/aud_filter. If a user's role and associated authorization are not found in the file or do not explicitly match, then no audit records specific to role-to-authorization are generated. Authorized users can edit the /etc/rbac/aud_filter file using a text editor and specify the role and authorization to be audited. Each authorization is specified in the form of operation, object pairs. All authorizations associated with a role must be specified in a single entry. Only one authorization can be specified per role on each line; however, the * wildcard is supported. The following are the supported entries and format for the /etc/rbac/aud_filter file: role, operation, object The following list explains each of the /etc/rbac/aud_filter entries: role Any valid role defined in /etc/rbac/roles. If * is specified, all roles can be accessed by the operation. operation A specific operation that can be performed on an object. For example, hpux.printer.add is the operation of adding a printer. Alternatively, hpux.printer.* is the operation of either adding or deleting a printer. If * is specified, all operations can be accessed by the operation. object The object the user can access. If * is specified, all objects can be accessed by the operation. The following are example /etc/rbac/aud_filter entries that specify how to generate audit records for the role of SecurityOfficer with the authorization of (hpux.passwd, /etc/passwd), and for the Administrator role with authorization to perform the hpux.printer.add operation on all objects. SecurityOfficer, hpux.passwd, /etc/passwd Administrator, hpux.printer.add, * NOTE: Use an editor such as vi to directly edit the /etc/rbac/aud_filter file. The HP-UX RBAC administrative commands do not provide an interface to configure /etc/rbac/aud_filter. For detailed information about RBAC, roles, operations, and objects, see Chapter 8 9.11.2 Procedure for Auditing HP-UX RBAC Criteria The following steps describe how to configure an audit process to audit HP-UX RBAC criteria on the system: 1. Configure the system to audit Passed or Failed events for the Administrator events by using the following command: # audevent -PFe admin 9.11 HP-UX RBAC Auditing 189 2. Configure the location and name of the audit output file and enable auditing on the system by using the following command: # audsys -n -c /tmp/aud.out -s 2048 3. Execute an HP-UX RBAC command, for example: # /usr/sbin/authadm add newauth 4. Open the audit output file and search for the records on the authadm command by using the following command: # audisp /tmp/aud.out |fgrep authadm NOTE: For more information, see audit(5), audevent(1M), audsys(1M), and audisp(1M) to learn more about auditing HP-UX systems. 190 Audit Administration A Trusted Systems This appendix describes how to set up and manage a trusted system. This appendix discusses the following topics: • Setting up a trusted system (Section A.1) • Auditing a trusted system (Section A.2) • Managing trusted passwords and system access (Section A.3) • Guidelines for trusted backup and recovery (Section A.4) NOTE: Trusted Systems has been depreciated. HP-UX 11i v3 is the last release that supports this product. A.1 Setting Up a Trusted System To set up a trusted system, follow these steps: 1. Establish an overall security policy appropriate to your work site. 2. Inspect all existing files on the system for security risks, and remedy them. This is important before you convert to a trusted system. Thereafter, examine the files regularly, or when you suspect a security breach. See Section 5.9 in Chapter 5 3. Back up the file system for later recovery of user files. You should also back up the /etc/passwd file to tape before the conversion. You can use any of the backup and recovery programs provided by HP-UX for the initial backup and recovery. After security features are implemented, however, use only fbackup and frecover, which preserve and restore access control lists (ACLs). For more information, see fbackup(1M) and frecover(1M). 4. Convert to a trusted system. Conversion to a trusted system is a reversible operation. To convert to a trusted system, run HP SMH and click System Security Policies. It will get to the Convert to trusted system prompt. You might receive a confirmation prompt. Press Y to begin the conversion process. When you convert to a trusted system, the conversion program does the following actions: • Creates a new, protected password database in /tcb/files/auth/. • Moves encrypted passwords from the /etc/passwd file to the protected password database and replaces the password field in /etc/passwd with an asterisk (*). • Forces all users to use passwords. • Creates an audit ID number for each user. The audit ID remains unchanged throughout a user's history. It uniquely identifies a user. Note that audit ID is getting deprecated along with Trusted System in HP-UX 11i v3, and is being replaced by audit tag that is dynamically assigned each time a user successfully starts a new login session. See Chapter 9 for more information about audit tags. A.1 Setting Up a Trusted System 191 • • 5. 6. Turns on the audit flag for all existing users. Converts the at, batch, and crontab input files to use the submitter's audit ID. Verify that the audit files are on the system: 1. Use swlist -l fileset to list the installed file sets. Look for the fileset called SecurityMon, which contains the auditing program files. To reduce the listing, enter the following command:# swlist -l fileset | grep Security 2. In addition, verify that the following files (not specified in SecurityMon) also exist: • /etc/rc.config.d/auditing contains parameters to control auditing. You can modify this file with SMH or by hand with a text editor. • /sbin/rc2.d/S760auditing is the script that starts auditing. Do not modify this file. After converting to a trusted system, you can use the audit subsystem and run the HP-UX system as a trusted system. NOTE: On HP-UX 11i v3, an auditing system also works on a system without converting to a trusted system. See Chapter 9 for more information. If you need to convert from a trusted system back to a standard system, run HP SMH and use the Auditing and Security window. The Audited Events, Audited System Calls, and Audited Users screens all provide an unconvert option. TIP: One way to determine if the system has been converted to a trusted system is to look for/tcb files. If they exist, then you have a trusted system. A.2 Auditing a Trusted System Auditing a trusted system is very similar to auditing a system that has not been converted to trusted mode. See Chapter 9 for the information on auditing. The only difference is how to select audited users. On a system that has not been converted to trusted mode, the userdbset command is used to specify those users who are to be audited. See userbdset(1M) and userdb(4). The associated attribute is called AUDIT_FLAG and is described in security(4). On a trusted system, the audusr command specifies those users who are to be audited. See audusr(1M) for more information. A.3 Managing Trusted Passwords and System Access The password is the most important individual user identification symbol. With it, the system authenticates a user to allow access to the system. Because they are vulnerable to compromise when used, stored, or known, passwords must be kept secret at all times. Also see Chapter 2 for password information. 192 Trusted Systems Security Administrator's Responsibilities The security administrator and every user on the system must share responsibility for password security. The security administrator performs the following security tasks: • Generates temporary passwords for new users. This password must be used for first login. When this number has been verified, the new user is prompted for a new password. • Maintains proper permissions on all system files, including the standard password file, /etc/passwd, and the trusted database files, /tcb/files/auth/*. • Establishes password aging. • Manages password reuse. • Deletes or nullifies expired passwords, user IDs, and passwords of users no longer eligible to access the system. User's Responsibilities Every user must observe the following rules: • Remember the password and keep it secret at all times. • Change the initial password immediately; thereafter, change the password regularly. • Report any changes in status and any suspected security violations. • Make sure no one is watching when you enter the password. • Choose a different password for each machine on which you have an account. A.3.1 Password Files A trusted system maintains multiple password files: the /etc/passwd file and the files in the protected password database /tcb/files/auth/ (see “The /tcb/files/auth/ Database”). Each user has an entry in two files, and login looks at both entries to authenticate login requests. All passwords are encrypted immediately after entry and stored in /tcb/files/auth/user-char/user-name, the user's protected password database file. Only the encrypted password is used in comparisons. Do not permit any empty (null) password fields in either password file. On trusted systems, the password field in /etc/passwd is ignored. A user with an empty password will be forced to set a password upon login on a trusted system. However, even this leaves a potential for a security breach, anyone logging in to this account is required to set the password. Do not edit the password files directly. Use HP SMH, useradd, userdel, or usermod to modify password file entries. A.3.1.1 The /etc/passwd File A trusted system uses the /etc/passwd file to identify a user at login time. The file contains an entry for every account on the HP-UX system. Each entry consists of seven fields, separated by colons. A typical entry for /etc/passwd in a trusted system looks like this: A.3 Managing Trusted Passwords and System Access 193 robin:*:102:99:Robin Hood,Rm 3,x9876,408-555-1234:/home/robin:/usr/bin/sh The 1. 2. 3. fields contain the following information (listed in order), separated by colons: User (login) name, consisting of up to 8 characters. (In the example, robin) Unused password field, held by an asterisk instead of an actual password. (*) User ID, an integer ranging from 0 to MAXINT-1, equal to 2,147,483,646 or 231 -2. (102) 4. Group ID, from /etc/group, an integer ranging from 0 to MAXINT-1. (99) 5. Comment field, used to identify such information as the user's full name, location, and phone numbers. For historic reasons, this is also called the gecos field. (Robin Hood,Rm 3,x9876,408-555-1234) 6. Home directory, the user's initial login directory. (/home/robin) 7. Login program path name, executed when the user logs in. (/usr/bin/sh) The user can change the comment field (fifth field) with the chfn command and the login program path name (seventh field) with the chsh command. The system administrator sets the remaining fields. The user ID should be unique. For more information, see chfn(1), chsh(1), passwd(1), and passwd(4). The user can change the password in the protected password database with passwd. A.3.1.2 The /tcb/files/auth/ Database When a system is converted to a trusted system, the encrypted password, normally held in the second field of /etc/passwd, is moved to the protected password database, and an asterisk holds its place in the /etc/passwd file. Protected password database files are stored in the /tcb/files/auth/ hierarchy. User authentication profiles are stored in these directories based on the first letter of the user account name. For example, the authentication profile for user david is stored in the file /tcb/files/auth/d/david. On trusted systems, key security elements are held in the protected password database, accessible only to superusers. Use HP SMH to set password data entries. Password data that is not set for a user will default to the system defaults stored in the file /tcb/files/ auth/system/default. The protected password database contains many authentication entries for the user. See prpwd(4) for more information on these entries, which include the following: • User name and user ID • Encrypted password • Account owner • Boot authentication to allow specified users to boot the system; see security(4). • Audit ID and audit flag for the user (whether audit is on or not) • Minimum time between password change • Password maximum length • Password expiration time, after which the password must be changed • Password lifetime, after which the account is locked 194 Trusted Systems • • • • • • • • • • • • • Time of last successful and unsuccessful password changes Absolute time (date) when the account will expire Maximum time allowed between logins before the account is locked Number of days before expiration when a warning will appear Whether passwords are user-generated or system-generated Password triviality check to prevent common words or well-known terms from being used as passwords Type of system-generated passwords Null passwords User ID of last person to change password, if not the account owner Time periods when this account can be used for login Identification of terminal or remote hosts associated with the last successful and unsuccessful logins to this account Number of unsuccessful login attempts; cleared upon successful login Maximum number of login attempts allowed before account is locked A.3.2 Password Selection and Generation On trusted systems, the following password generation options are available: • User-generated passwords. A password screening option is available to check for the use of login and group names, login and group name permutations, and palindromes. A new password must differ from the old password by at least 3 characters. • • System-generated passwords using a combination of letters only. System-generated passwords using a combination of letters, numbers, and punctuation characters. • System-generated passwords using pronounceable meaningless syllables. You can set password generation options for a system. Alternately, you can set password generation options on a per-user basis, overriding the system default. You must set at least one password generation option for each user. If more than one option is available to a user, a password generation menu is displayed when the user changes the password. A.3.3 Password Aging You can enable or disable password aging for each user. When password aging is enabled, the system maintains the following for the password: Minimum time The minimum time required between password changes. This prevents a user from changing the password and then changing it back immediately to avoid memorizing a new one. Expiration time A time after which a user must change that password at login. Warning time The time before expiration when a warning will be issued. A.3 Managing Trusted Passwords and System Access 195 Lifetime The time at which the account associated with the password is locked if the password is not changed. Once an account is locked, only the system administrator can unlock it. Once unlocked, the password must still be changed before the user can log into the account. The expiration time and lifetime values are reset when a password is changed. A lifetime of zero specifies no password aging; in this case, the other password aging times have no effect. A.3.4 Password History and Password Reuse You can enable the password history feature on a systemwide basis to discourage users from reusing previous passwords. You enable the password reuse check by defining the PASSWORD_HISTORY_DEPTH attribute in the /etc/default/security file: PASSWORD_HISTORY_DEPTH=n where n is an integer specifying the number of previous passwords to check. When a user changes the password, the new password is checked against the previous n passwords, starting with the current password. If the system finds a match, it rejects the new password. An n of 2 prevents users from alternating between two passwords. For more information, see passwd(1) and security(4). A.3.5 Time-Based Access Control On trusted systems, you can specify times-of-day and days-of-week that are allowed for login for each user. When a user attempts to log in outside the allowed access time, the event is logged (if auditing is enabled for login failures and successes) and the login is terminated. A superuser can log in outside the allowed access time, but the event is logged. The permitted range of access times is stored in the protected password database for users and can be set with HP SMH. Users that are logged in when a range ends are not logged out. A.3.6 Device-Based Access Control For each MUX port and dedicated DTC port on a trusted system, you can specify a list of users allowed for access. When the list is null for a device, all users are allowed access. The device access information is stored in the device assignment database, /tcb/files/ devassign, which contains an entry for each terminal device on the trusted system. A field in the entry lists the users allowed on the device. Terminal login information on a trusted system is stored in the terminal control database, /tcb/files/ttys, which provides the following data for each terminal: • Device name • User ID of the last user to successfully log into the terminal • Last successful login time to the terminal 196 Trusted Systems • Last unsuccessful login time to the terminal • Number of consecutive unsuccessful logins before terminal is locked • Terminal lock flag Only superusers can access these trusted system databases and can set the entries using HP SMH. See devassign(4) and ttys(4). A.3.7 Manipulating the Trusted System Databases Use the library routines described in the following manpages to access information in the password files and in other trusted system databases: getdvagent(3) Manipulates device entries in /tcb/files/devassign getprdfent(3) Manipulates system defaults in /tcb/files/auth/system/ default getprpwent(3) Gets password entries from /tcb/files/auth/ getprtcent(3) Manipulates terminal control database, /tcb/files/ttys getpwent(3C) Gets password entries from /etc/passwd putpwent(3C) Writes password file entries to /etc/passwd getspwent(3X) Gets password entries from /tcb/files/auth/ (provided for backward compatibility) putspwent(3X) Writes password entries to /tcb/files/auth/ (provided for backward compatibility) putprpwnam(3) Writes password file entries to /tcb/files/auth/ A.4 Guidelines for Trusted Backup and Recovery Following are guidelines for backup and recovery on a trusted system: • Use only fbackup and frecover to back up and recover files selectively. Only fbackup and frecover retain access control lists (ACLs). Use the -A option of these commands when backing up and recovering files for use on systems that do not implement ACLs. For more information, see fbackup(1M) and frecover(1M). • If you plan to recover the files to another system, be sure that the user's user name and group name on both systems are consistent. • Remember that the backup media is sensitive material. Allow access to the media only on the basis of proven need. • Label backup tapes and store them securely. Offsite storage provides maximum security. Keep archives for a minimum of 6 months, then recycle the media. • Use appropriate procedures to clean magnetic media to remove data before reuse. • Perform daily incremental and full weekly backups. Synchronize the backup schedule with the information flow in the organization. For example, if a major database is updated every Friday, you might want to schedule the weekly backup on Friday evenings. A.4 Guidelines for Trusted Backup and Recovery 197 • • • • • • • • • If all files must be backed up on schedule, request that all users log off before you perform the backup. However, fbackup warns you if a file is changing while the backup is being performed. Examine the log file of latest backups to identify problems occurring during backup. Set restrictive permissions for the backup log file. The frecover command allows you to overwrite a file. However, the file retains the permissions and ACLs set when the file was backed up. You must test the recovery process beforehand to make sure you can fully recover data in the event of an emergency. When recovering files from another machine, you might have to execute the chown command to set the user ID and group ID for the system on which they now reside, if the user and group do not exist on the new system. If files are recovered to a new system that does not have the specified group, the files will take on the group ownership of the person running frecover. If owner and group names have different meanings on different systems, recovery results might be unexpected. Power failure should not cause file loss. However, if someone reports a lost file after a power failure, look for it in /lost+found before restoring it from a backup tape. To verify contents of the tape being recovered, use the -I option of frecover to preview the index of files on the tape. Note, however, that existing permissions of a file system are kept intact by the backup; frecover prevents you from reading the file if the permissions on the file forbid it. Never recover in place any critical files such as /etc/passwd or the files in /tcb/ files. Instead, restore the file to a temporary directory (do not use /tmp) and give this directory permissions drwx------, preventing anyone else from using it. Compare the restored files with those to be replaced. Make any necessary changes. Auditing is not enabled automatically when you have recovered the system. Be sure to turn auditing on with the audsys command. 198 Trusted Systems B Other Security Products This appendix includes additional security products available for HP-UX, for the following three security categories: • “Protecting Systems” (page 199) • “Protecting Data” (page 200) • “Protecting Identity” (page 203) You can download these products for free from the HP Software Depot at: http://www.hp.com/go/softwaredepot B.1 Protecting Systems In addition to the security products that are discussed in Part I Protecting Systems, the following security products offer additional system protection. B.1.1 HP-UX Bastille HP-UX Bastille is a system hardening and reporting program that enhances the security of the HP-UX operating system by consolidating essential hardening and lock-down checklists from industry and government security organizations, and making them accessible to administrators in an easy to use package. For more information, see the HP-UX Bastille documentation: http://www.hp.com/go/hpux-security-docs Click HP-UX Bastille Software. B.1.2 HP-UX HIDS HP-UX Host Intrusion Detection System (HIDS) enables security administrators to proactively monitor, detect, and respond to attacks within a network, as follows: • Protects against both existing attack scenarios and against some as of yet unknown scenarios. It seeks out patterns that might suggest security breaches or misuses by examining information about system activity from a variety of data sources. Such illicit activities might include: a hacker attempting to break into or disrupt your system, subversive "insider" activities, or someone trying to spread a virus • Detects product enhances local host-level security within your network. It automatically monitors each configured host system within the network for possible signs of unwanted and potentially damaging intrusions. If unchecked it can lead to the loss of availability of key systems or can compromise system integrity. HP-UX HIDS generate alerts for many types of exploits. • Provides continuous protection against both existing attack scenarios and unknown scenarios unlike other intrusion detection systems. It detects intrusions by using detection templates. Detection templates are the building blocks used to identify the B.1 Protecting Systems 199 basic types of unauthorized system activity or security attacks frequently found on enterprise networks. • Provides notification in the event of suspicious activity that might precede an attack. By contrast, other intrusion detection systems rely entirely on an operator-instigated analysis of the system log files. Typically the operator analyses the system log files at the end of the day. This delay in the analysis of the attack provides considerable time to damage the system. For more information, see the HP-UX HIDS documentation: http://www.hp.com/go/hpux-security-docs Click HP-UX Host Intrusion Detection System Software. B.1.3 HP-UX IPFilter HP-UX IPFilter is a system firewall that filters IP packets to control packet flow in or out of a machine. It works as a security defense by cutting down on the number of exposure points on a machine. For more information, see the HP-UX IPFilter documentation: http://www.hp.com/go/hpux-security-docs Click HP-UX IPFilter Software. B.1.4 Security Patches HP-UX Software Assistant (SWA) is a command-line based tool that consolidates and simplifies patch management and security bulletin management on HP-UX systems. The SWA tool is new for HP-UX releases as of January 2007, replaces Security Patch Check (SPC), and is the HP-recommended utility to use to maintain currency with HP-published security bulletins for HP-UX software. HP provides up-to-date software patches to known security problems that allow unauthorized root access to your system. For more information, see the HP-UX SWA documentation: http://www.hp.com/go/hpux-security-docs Click HP-UX Software Assistant (SWA) Software. B.2 Protecting Data In addition to the security products that are discussed in Part II Protecting Data, the following security products offer additional data protection. B.2.1 HP-UX Containers (SRP) HP-UX Containers, formerly Secure Resource Partitions (SRP), allows you to deploy multiple isolated container-based environments on a single server platform. This allows the enterprise to host multiple workloads in a single operating system instance, thereby better utilizing server resources (CPU, memory, network access) and data center resources (power, cooling, footprint), and reducing the overall number of operating system instances 200 Other Security Products that must be managed. HP-UX Containers is a component of the Virtualization Continuum for HP-UX and offers high efficiency in resource utilization and performance. For more information, see the HP-UX Containers (SRP) documentation: www.hp.com/go/virtualization-manuals Click HP-UX Containers (SRP) Software. B.2.2 HP-UX Encrypted Volume and File System (EVFS) EVFS (Encrypted Volume and File System) is an application-transparent technology providing protection of data at rest. With EVFS, critical files and data at rest (on disk) are stored in encrypted form on disk. EVFS safeguards against compromised use of and unauthorized access to data due to physical theft of storage devices. The data encryption is based on a secret-key cryptosystem and runs as an integrated kernel service transparent to the user. With HP-UX EVFS, disks and volumes can be configured to be used in one of two modes - volume-level encryption (EVS) or file-level encryption (EFS). For more information, see the HP-UX EVFS documentation: http://www.hp.com/go/hpux-security-docs Click HP-UX Encrypted Volume and File System Software. B.2.3 HP-UX IPSec HP-UX IPSec provides an infrastructure to allow secure communications (authentication, integrity, confidentiality) over IP-based networks between systems and devices that implement the IPsec protocol suite. For more information, see the HP-UX IPSec documentation: http://www.hp.com/go/hpux-security-docs Click HP-UX IPSec Software. B.2.4 HP-UX OpenSSL HP-UX 11i operating systems implement the Secure Sockets Layer (SSL V2 and V3) and Transport Layer Security (TLS V1) protocols using the OpenSSL Toolkit developed by the OpenSSL Project (http://www.openssl.org/). Secure Sockets Layer (SSL) is the open standard security protocol for the secure transfer of sensitive information over the Internet. SSL provides three basic security services: privacy through encryption, server authentication, and message integrity. Client authentication is available as an optional function. Protecting communication links to HP-UX applications over a TCP/IP connection can be accomplished through the use of SSL. The OpenSSL APIs establish private, authenticated, and reliable communications links between applications. For more information, see the HP-UX OpenSSL documentation: http://www.hp.com/go/hpux-security-docs Click HP-UX OpenSSL Software. B.2 Protecting Data 201 B.2.5 HP-UX Secure Shell HP-UX Secure Shell uses hashing to ensure data integrity and provides secure tunneling features, port forwarding, and an SSH agent to maintain private keys on the client. HP-UX Secure Shell enables you to securely log into another system over a network, to execute commands on a remote system, and to move files from one system to another. HP-UX Secure Shell provides a set of commands that replace insecure commands such as rlogin, rsh, rcp, ftp, and telnet. HP-UX Secure Shell also protects a network from the following security hazards: IP Spoofing A technique used to gain unauthorized access to computers. An intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. Eavesdropping Searching a system for passwords, credit card numbers, or business secrets. Hijacking A technique used to take over network communication in such a way that the attacker can inspect and modify data transmitted between the communicating parties. For more information, see the HP-UX Secure Shell documentation: http://www.hp.com/go/hpux-security-docs Click HP-UX 11i Secure Shell Software. B.2.6 HP-UX Trusted Computing Services HP-UX Trusted Computing Services (TCS) provides software support for the Trusted Platform Module (TPM) option currently available on certain HP blade servers, the BL860C and BL870C being two examples. Each TPM chip contains a unique, hidden RSA private key and algorithms for applying the key to standard cryptographic operations. By cryptographic wrapping, private keys can be rendered usable only on a specific platform with a specific embedded TPM. This is useful for ensuring against unauthorized use of private keys on platforms other than those intended by the key owners. A TCS-generated key is effectively restricted for use on a single platform. The TCS package provides an extensive set of library functions for application development. These library functions have been specified by the Trusted Computing Group for implementation on a wide range of platform architectures. The TCS package also includes commands for generating and maintaining TCS keys, and for bulk encryption of user data. You can find more information on TPM and Trusted Computing at: https:// www.trustedcomputinggroup.org/home. With TCS installed, TPM protection of private keys becomes available to a number of applications: • HP-UX Encrypted Volume File System (EVFS) volumes can be configured to use TCS keys. With TCS, these volumes can only be decrypted on a specific server with the 202 Other Security Products correct TPM chip. Procedures are provided for encrypted volume backup and configuration of ServiceGuard clustering when TCS keys are employed. • HP-UX SecureShell now contains support for utilization of TCS keys for servers establishing encrypted sessions with remote clients. This prevents a SecureShell server from being easily transferred to another platform. • With HP-UX OpenSSL, TCS key protection can be easily integrated into applications that rely on OpenSSL for cryptographic operations. The Stunnel product available with Internet Express provides a solid example of how TCS keys can be integrated through OpenSSL. An application server employing Stunnel to establish encrypted sessions can utilize TCS keys through Stunnel. For more information, see the HP-UX TCS documentation: http://www.hp.com/go/hpux-security-docs Click HP-UX Trusted Computing Services (TCS) Software. B.2.7 HP-UX Whitelisting HP-UX Whitelisting (WLI) protects the system from unexpected downtime and denial-of-service by preventing inadvertent or illegitimate changes to the critical system files. It also protects files from unauthorized access by granting permissions only to the authorized applications, irrespective of the user (uid) executing the application. WLI is a cryptographic key-based product. Whitelisting security features are based on RSA key ownership and encryption technology. The authorization is provided by policies along with the traditional Discretionary Access Control(DAC). WLI security features are imposed through RSA signatures and enforced through signature verification. Therefore, regular files and directories may be protected from access by any user including super user. For more information, see the HP-UX Whitelisting documentation: http://www.hp.com/go/hpux-security-docs Click HP-UX Whitelisting. B.3 Protecting Identity In addition to the security products that are discussed in Part III Protecting Identity, the following security products offer additional identity protection. B.3.1 HP-UX AAA Server (RADIUS) The HP-UX AAA Server utilizes the industry standard Remote Authentication Dial-In User Service (RADIUS) protocol and Extensible Authentication Protocol (EAP) to provide standards-based user authentication, authorization, and accounting services to network devices and software applications. The HP-UX AAA Server can be utilized for securing wired and wireless LAN access, provide authentication and accounting for Virtual Private Network (VPN) gateways, firewalls and other network devices, and to enhance the security of RADIUS-enabled software applications in Enterprise and Service Provider environments. For more information, see the HP-UX AAA Server documentation: B.3 Protecting Identity 203 http://www.hp.com/go/hpux-security-docs Click HP-UX AAA Server (RADIUS) Software. B.3.2 HP-UX Directory Server A global directory service, HP-UX Directory Server (HPDS) provides an industry-standard, centralized directory service on which to build your intranet or extranet. Your HP-UX servers and other directory-enabled applications use the directory server as a common, network-accessible location for storing shared data such as user and group identification, server identification, and access control information. In addition, you can extend the HP-UX Directory Server to support your entire enterprise with a global directory service that enables centralized management of all enterprise resource information. HP-UX Directory Server includes enterprise-class features, including multi-master replication, encryption, authentication and access control, remote administration, on-line backup, as well as numerous other features. For more information, see the HP-UX Directory Server documentation: http://www.hp.com/go/hpux-security-docs Click HP-UX Directory Server. B.3.3 HP-UX LDAP-UX Integration With an LDAP-enabled directory server, LDAP-UX Integration provides your HP-UX system centralized user, group, and system management, along with centralized authentication and access control. LDAP-UX supports standard LDAP directory servers as well as Windows Active Directory, for which HP-UX can use the same management groups and policies as in a Windows domain. In addition, users from multiple domains can authenticate to HP-UX. To simplify authentication and access control, LDAP-UX can defer to centralized password and account policies as well as define highly customizable access control policies for HP-UX services. LDAP-UX includes numerous integration features: centralized configuration, flexible group management that includes support for standard LDAP groups or dynamic groups (role-based membership), command-line and GUI-based (through HP SMH) user and group management, host and ssh key management, off-line mode, and more. For more information, see the HP-UX LDAP-UX Integration Software documentation: http://www.hp.com/go/hpux-security-docs Click HP-UX LDAP-UX Integration Software. 204 Other Security Products Glossary 3DES Triple Data Encryption Standard. A symmetric key block encryption algorithm that encrypts data three times, using a different 56-bit key each time (168 bits used for keys). 3DES is suitable for bulk data encryption. AAA server Authentication, Authorization, and Accounting server. An AAA server provides authentication, authorization, and accounting services of user network access at the entry points to a network. HP-UX provides AAA servers based on the RADIUS protocol and Diameter Base protocol. ACL Access Control List. A list or database that defines what resources users or other principals can access, and the type of access allowed. AES Advanced Encryption Standard. A symmetric key block encryption algorithm. HP-UX IPSec supports AES with a 128-bit key. AES is suitable for bulk data encryption. AH Authentication Header. The AH provides data integrity, system-level authentication and can provide antireplay protection. AH is part of the IPsec protocol suite. asymmetric key cryptography See public key cryptography. auditing The selective recording of events for the analysis and detection of security breaches. The HP-UX auditing system provides a mechanism to audit users and processes. authentication The process of verifying the identity of a subject (a user, host, device or other entity in a computer network). Authentication is often a prerequisite to allowing access to resources in a system. Alternatively, the process of verifying the integrity of data, or the identity of the party that sent data. Authentication Header See AH. authorization The process of evaluating access control information and determining if a subject (a user, host, device, or other entity in a computer network) is allowed to perform an operation on a particular resource, or object. Authorization is typically performed after a subject's identity is authenticated. In the context of RBAC, authorization specifically refers to the pairing of an operation with an object, and is also referred to as permission. See RBAC. Bastille HP-UX Bastille is a system hardening and reporting program that enhances the security of the HP-UX operating system by consolidating essential hardening and lock-down checklists from industry and government security organizations, and making them accessible to administrators in an easy to use package. bastion host A computer system that protects an internal network from intruders. See also firewall and hardened system. buffer overflow attack A method to attack a system by causing process errors, or by causing a process to execute malicious code. This is typically achieved by overflowing an input buffer in the stack. This causes a memory violation or other error that causes the process to terminate, or causes the process to execute malicious code. See also stack buffer overflow attack. CA Certificate Authority. A trusted third-party that authenticates users and issues certificates. In addition to establishing trust in the binding between a user's public key and other security-related information in a certificate, the CA digitally signs the certificate information using its private key. 205 certificate A security certificate associates (or binds) a public key with a principal—a particular person, system, device, or other entity. The security certificate is issued by an entity, in whom users have put their trust, called a Certificate Authority (CA), which guarantees or confirms the identity of the holder (person, device, or other entity) of the corresponding private key. The CA digitally signs the certificate with the CA's private key, so the certificate can be verified using the CA's public key.The most commonly used format for public-key certificates is the International Organization for Standardization (ISO) X.509 standard, Version 3. Certificate Authority See CA. Certificate Revocation List See CRL. challenge-response authentication A form of authentication where the authenticator sends a random value, the challenge, to the user or principal being authenticated. The user sends back a response based on the challenge value and a shared secret value previously established with the authenticator, such as an MD5 hash value. Unlike a regular password exchange, the challenge-response dialog varies, so an intruder cannot replay the user's response to gain authentication. chroot jail A method restricting the files and directories accessible by a process and users of that process. The process starts in a specified base directory (the root), and cannot access any directories or files above the root directory. compartments A method of isolating various components of the system from one another. When configured properly, components are an effective method to safeguard the HP-UX system and the data that resides upon it. containment A mechanism or set of mechanisms to restrict the access rights of processes. In the context of RBAC, containment is a combination of mandatory access control and fine-grained privileges. See RBAC. CRL Certificate Revocation List. Certificates are issued with a specific lifetime, defined by a start date/time and an expiration date/time. However, situations can arise, such as a compromised key value, that necessitate the revocation of the certificate. In this case, the certificate authority can revoke the certificate. This is accomplished by including the certificate's serial number on a CRL updated and published on a regular basis by the CA and made available to certificate users. See CA. cryptography The process of encoding normal data (or cleartext) data so it can only be decoded by holders of specific information. Data Encryption Standard See DES. denial of service attack An attack where a system is prevented from responding to network packets so the system cannot service requests. Denial of service attacks may be implemented by flooding a vulnerable system with false requests that consume a large number of resources. Denial of service attacks are often used with host spoofing to keep the spoofed host (the host with the IP address the spoofer is assuming) from participating in the exchange between the spoofer and the system the spoofer is trying to access. DES Data Encryption Standard. Uses a 56-bit key for symmetric key block encryption. DES is suitable for bulk data encryption. DES has been cracked (data encoded using DES has been decoded by a third party). 206 Glossary Diameter Base A protocol that provides authentication, authorization, and accounting (AAA) services based on the RADIUS protocol. The Diameter protocol provides the same functionality as RADIUS, with improved reliability, security and infrastructure. See also RADIUS. Diffie-Hellman A public-key method to generate a symmetric key where two parties can publicly exchange values and generate the same symmetric key. Start with prime p and generator g, which may be publicly known (typically these numbers are from a well-known Diffie-Hellman Group). Each party selects a private value (a and b) and generates a public value (g**a mod p) and (g**b mod p). They exchange the public values. Each party then uses its private value and the other party's public value to generate the same symmetric key, (g**a)**b mod p and (g**b)**a mod p, which both evaluate to g**(a*b) mod p for future communication. The Diffie-Hellman method must be combined with authentication to prevent man-in-the-middle or third-party attacks (spoofing) attacks. For example, Diffie-Hellman may be used with certificate or preshared key authentication. Digital Signature Digital signatures are a variation of keyed hash algorithms that use public/private key pairs. The sender uses its private key and the data as input to create a Digital Signature value. EAP Extensible Authentication Protocol. A protocol that provides a framework for using multiple authentication methods and protocols, including passwords, Kerberos, and challenge-response protocols. Encapsulating Security Payload See ESP. encryption The process of converting data from a readable format to nonreadable format for privacy. Encryption functions usually take data and a cryptographic key (value or bit sequence) as input. ESP Encapsulating Security Payload. This is part of the IPsec protocol suite. The ESP provides confidentiality (encryption) and an antireplay service. It should be used with authentication, either with the optional ESP authentication field (authenticated ESP) or nested in an authentication header message. Authenticated ESP also provides data origin authentication and connectionless integrity. When used in tunnel mode, ESP also provides limited traffic flow confidentiality. event An action, such as creating a file, opening a file, or logging in to the system. Extensible Authentication Protocol See EAP. filter A mechanism for screening unwanted objects, or the parameters that specify the objects allowed or denied access. Typically, a filter is used to screen unwanted network packets (a packet filter). fine-grained privilege A permission to perform a specific, low-level operation (for example, permission to execute a specific system call). firewall One or more devices or computer systems used as a barrier to protect a network against unwanted users or harmful, intrusive applications. See also bastion host and hardened system. hardened system A computer system with minimal operating system features, users, and applications that is used as a barrier to protect a network against unwanted users or harmful, intrusive applications. Also referred to as a bastion host. HMAC Hashed Message Authentication Code. See also MAC. IKE The Internet Key Exchange (IKE) protocol is part of the IPsec protocol suite. IKE is used before the IPsec ESP or AH protocol exchanges to determine which encryption and/or authentication services 207 will be used. IKE also manages the distribution and update of the symmetric (shared) encryption keys used by ESP and AH. See also ESP and AH. IPSec policy IPSec policies specify the rules according to which data is transferred securely. IPSec policies generally contain packet filter information and an action. The packet filter is used to select a policy for a packet and the action is applied to the packets using the policy Kerberos A network authentication protocol designed to provide strong authentication for client or server applications. Kerberos allows users to authenticate themselves without transmitting unencrypted passwords over the network. LDAP (Lightweight Directory Access Protocol) The LDAP protocol provides network directory access. LDAP uses a directory structure similar to the OSI X.500 directory service, but stores data as strings and uses the TCP/IP network stack instead of the OSI network stack. MAC A message authentication code (MAC) is an authentication tag, also called a checksum, derived by application of an authentication algorithm, together with a secret key, to a message. MACs are computed and verified with the same key so they can only be verified by the intended receiver, unlike digital signatures. Hash function-based MACs (HMACS) use a key or keys in conjunction with a hash function to produce a checksum that is appended to the message. An example is the keyed-MD5 method of message authentication. MACs can also be derived from block ciphers. The data is encrypted in message blocks using DES CBC and the final block in the ciphertext is used as the checksum. The DES-CBC MAC is a widely used US and international standard. man-in-the-middle attack See third-party-attack. manual keys Manually configured cryptographic keys for IPSec. An alternative to using the Internet Key Exchange (IKE) protocol to generate cryptographic keys and other information for IPSec Security Associations (SAs). MD5 Message Digest-5. Authentication algorithm developed by RSA. MD5 generates a 128-bit message digest using a 128-bit key. IPSec truncates the message digest to 96 bits. NAT Network Address Translation. A method to allow multiple systems in an internal, private network share one public internet IP address. A NAT gateway replaces (translates) internal IP addresses and ports to its public IP address when forwarding packets from the internal network to the public internet and performs the reverse translation for the return path. object A system or network resource such as a system, file, printer, terminal, database record. In the context of authorization, authorization is granted for a subject's operation on an object. operation A specific mode of access to one or more objects. For example, writing to a file. In the context of authorization, authorization is granted for a subject's operation on an object. out-of-band key exchange A key exchange using a secure communication channel that is outside of normal computer communication channels, such as a face-to-face meeting or telephone call. packet filter A filter used to select or restrict network packets. Packet filters specify network packet characteristics. Packet filters typically specify source and destination IP addresses, upper-layer protocols (such as TCP or UDP), and TCP or UDP port numbers. Packet filters may also define other packet fields, such as IPv6 header types, upper-layer message types (for example, ICMP message types), and TCP connection states. 208 Glossary PAM Pluggable Authentication Module. An authentication framework that allows system administrators to configure services for authentication, account management, session management, and password management for HP-UX utilities, such as the system login utility. Perfect Forward Secrecy (PFS) With Perfect Forward Secrecy, the exposure of one key permits access only to data protected by that key. Pluggable Authentication Module See PAM. preshared key A cryptographic value agreed upon by two systems for encryption or authentication. The key is exchanged prior to computer data communication, typically using an out-of-band key exchange (such as a verbal, face-to-face exchange). See also shared key cryptography. principal A person, system, device or other entity. private key cryptography See shared key cryptography. privilege A permission to perform an action on a computer system. public key cryptography A cryptographic method using two mathematically related keys (for example, k1 and k2) such that data encrypted with k1 can be decrypted only using k2. In addition, most algorithms provide assurance that only the holder of k1 can correctly encrypt data that can be decrypted by k2. One key must be private (known only to the owner), but the second key can be widely known (public), which makes key distribution easy to manage. Public key encryption is computationally expensive, so it is impractical for bulk data encryption. Instead, public key cryptography is usually used to authenticate data. Also referred to as asymmetric key cryptography (the two keys are not the same) or public-private key cryptography. public-private key cryptography See private key cryptography. RADIUS The Remote Authentication Dial-In User Service (RADIUS) protocol is widely used and implemented to manage access to network services. It defines a standard for information exchange between a network access device and an authentication, authorization, and accounting (AAA) server for performing authentication, authorization, and accounting operations. A RADIUS AAA server can manage user profiles for authentication (verifying user name and password), configuration information that specifies the type of service to deliver, and policies to enforce that may restrict user access. The RADIUS protocol provides only the framework for the authentication exchange and can be used with numerous authentication methods. RBAC Role-Based Access Control. An HP-UX mechanism to provide fine-grained access to system resources, commands, and system calls. Users are assigned to roles and users are granted privileges for access according to roles. role A job function, within the context of an organization, with associated semantics regarding the authority and responsibility given to users assigned to the role. Role-Based Access Control See RBAC. RSA Rivest, Shamir, and Adelman. Public-private key cryptosystem that can be used for privacy (encryption) and authentication (signatures). For encryption, system A can send data encrypted with system B's public key. Only system B's private key can decrypt the data. For authentication, system 209 A sends data with a digital signature, a digest or hash encrypted with system A's private key. To verify the signature, system B uses system A's public key to decrypt the signature and compare the decrypted hash or digest to the digest or hash that it computes for the message. SASL Simple Authentication and Security Layer. A protocol used to add authentication services to connection-based network applications. The SASL API provides a flexible framework that allows programmers to use a common interface to access multiple authentication services. secure shell See SSH. Secure Sockets Layer See SSL. Security Certificate See certificate. SHA1 Secure Hash Algorithm-1. An authentication algorithm that generates a 160-bit message digest using a 160-bit key. shadow password A structure to provide additional security for user passwords. The shadow password structure (spwd) contains encrypted user passwords and other information used with the passwd structure. The shadow password structure is stored in a file that is usually readable only by privileged users. shared key cryptography A cryptographic method where two parties use the same key (the two parties share the same key) for encrypting or authenticating data. To provide data privacy or authentication, only the two parties can know the key value (the key must be private). Shared key cryptography is more efficient than public-private key cryptography for encrypting data, so it is often used for bulk data encryption. However, distributing or establishing the shared key requires an out-of-band key exchange (such as a face-to-face verbal exchange), Diffie-Hellman exchange, or other mechanism. Also referred to as private key cryptography or symmetric key cryptography. SSH Secure Shell. A set of network services that provides secure replacements for remote login, file transfer, and remote command execution. SSH also provides secure tunneling features, port forwarding, and an SSH agent to maintain private keys on the client. SSL Secure Sockets Layer. A protocol used to encrypt network data. The SSL protocol is above TCP in the data stack. SSL uses public/private keys to authenticate principals and exchange a private (shared) key. SSL then uses the private key to encrypt data. stack buffer overflow attack A method to attack a system by causing a process to execute malicious code. This is typically achieved by overflowing an input buffer in the stack to insert malicious code and then modifying the stack pointer to execute the malicious code. See also buffer overflow attack. stateful packet filter A type of packet filtering that uses upper-layer protocol fields and state information, such as TCP connection states. subject A user, host, device or other entity in a computer network. In the context of authorization, the originator of an operation on an object requiring an authorization decision. symmetric key cryptography See shared key cryptography. third-party attack In a third-party attack, the attacker intercepts packets between two attacked parties, A and B. A and B assume they are exchanging messages with each other, but are exchanging messages with the third party. The attacker assumes the identity of A to exchange messages with B, and assumes the identity of A to exchange messages with B. Also referred to as man-in-the-middle attack. transitive trust relationship Extending a trust relationship through other trusted entities. If A and B both trust C, A and B can trust each other using a transitive trust relationship through C. In a hierarchical structure, A and B can establish a transitive trust relationship if they can establish a chain-of-trust to a common root. 210 Glossary VPN Virtual Private Network. A private network within a public network, such as the global Internet. A VPN is virtual because it uses tunnels to effectively create a separate logical network within a physical network. A VPN is private because outside users cannot see or modify the data being transmitted. VPNs that use host identity authentication also provide protection against IP address spoofing. 211 212 Index Symbols /dev special device file security considerations for, 103 /etc/d_passwd file controlling access using, 56 /etc/default/security, 25 /etc/dialups file controlling access using, 56 /etc/ftpd/ftpusers file changing access with, 69 /etc/group file, 194 /etc/inetd.sec file, 72 /etc/pam.conf file, 35 configuring systemwide with, 37 /etc/pam_user.conf file, 35 /etc/passwd file, 191, 192, 193, 194 application user accounts, 30 changing, 42 example of pseudo-account in, 45 format of, 43 recovering, 27 restricted account, 30 /etc/rbac/aud_filter, 188 /etc/rbac/cmd_priv, 160 entries, 162 /etc/security.dsc file, 47 /etc/shadow shadow password file, 43 /sbin/rc2.d/S760auditing, 192 /tcb/files/auth/ protected password database, 192, 193 /tcb/files/auth/*/*, 191, 194, 196, 197 /tcb/files/ttys, 196 /tmp, 198 /var.adm/userdb file, 48, 63 /var/adm/inetd.sec file configuring, 72 A access device-based access, 196 password, 195 terminal control, 195 time-based access, 195, 196 access control list See ACL, 91 Access Control Policy Switch, 147 customizing, 166 interfaces, 147 ACL and NFS, 103 comparison of JFS and HFS, 102 default JFS entries, 99 example of changing a minimal JFS, 98 setting, 91 setting HFS, 91 setting JFS, 95 trusted system backup/recovery, 197 administrative domain managing, 74 AES (Advanced Encryption Standard), 205 AH (Authentication Header) definition, 205 anonymous FTP securing, 69 at command, 192 audisp command viewing audit log output with, 186 audit event, 177 type, 179 audit flag, 195 audit ID (aid), 192, 194, 195 audit log file, 179 overwriting existing, 181 streamlining data in, 187 viewing, 186 auditing basic profile, 178 commands, 172 enabling, 172 turning on after recovery, 27 users, 171 authadm, 157 examples, 158 syntax, 157 authentication, 192 during login, 31 PAM login example, 39 used by SSH, 80 using boot, 25 using PAM, 34 Authorization Number, 193 authorizations, 144 configuring, 157 object, 144 operation, 144 auxiliary audit log file, 180 B backup security guidelines for, 26 trusted system, 191, 197 backup media security of, 197 Bastille (see HP-UX Bastille) batch, 192 213 boot authentication using, 25 boot processs gaining, 24 booting preventing security breaches during booting, 23 btmp file tracking failed logins with, 33 C CA (certificate authority) defined, 205 CDE Lock Manager configuring, 55 CDE Login Manager logging in with, 32 Certificate Revocation List (CRL), 206 chfn, 194 chmod command changing file access permissions with, 88 effect on class entries, 97 chown, 27, 194, 198 chroot jail, 84 chsh, 194 cmdprivadm, 158 examples, 159 syntax, 158 command login, 193 swlist, 192 compartments, 109 activating, 124 creating rules, 114 file system rules, 116 IPC rules, 117 modifying rules, 114 network interface rules, 122 network rules, 119 planning a structure, 111 privilege limitation rules, 123 troubleshooting, 126, 140 crontab, 192 D DES (Data Encryption Standard), 206, 207 device assignment database trusted system, 197 device-based access control, 196 Diffie-Hellman, 207 group, 207 directory access securing, 89 disk partition security considerations for, 104 domain managing an administrative, 74 214 Index E encrypted password field, 194 encryption definition, 207 ESP (Encapsulating Security Payload) definition, 207 /etc/ftpd/ftpusers, 69 /etc/inetd.sec, 72 /etc/passwd, 27 expiration time password aging, 195 F fbackup command, 26 trusted backup, 197 file /etc/group, 194 /etc/passwd, 191, 192, 193, 194 file corruption locating and correcting using fsck command, 90 file ownership setting, 89 file security considerations for /dev special files, 103 controlling file access, 87 controlling on a network, 106 protecting disk partitions and logical volumes, 104 protecting files related to user accounts, 90 protecting NFS-mounted files, 107 file set SecurityMon, 192 file system security guidelines for mounting and unmounting, 104 fileaccess setting access permissions, 88 filter definition, 207 fine-grained privileges, 131 configuring, 160 frecover command, 26 trusted recovery, 197 fsck command correcting file corruption with, 90 FTP securing, 68 securing anonymous, 69 ftpd server, 69 function getdvagent, 197 getprdfent, 197 getprpwent, 197 getprtcent, 197 getpwent, 197 getspwent, 197 putprpwnam, 197 putpwent, 197 putspwent, 197 G getacl command viewing ACLs with, 97 getdvagent function, 197 getfilexsec command, 113, 132 getprdfent function, 197 getprocxsec command, 113, 132 getprpwent function, 197 getprtcent function, 197 getpwent function, 197 getspwent function, 197 group account managing, 31 group ID (gid), 194 GSS-API SSH, 80 guest account monitoring, 30 H HFS, 91 HFS ACL and NFS, 103 commands and calls that work with, 93 compared with JFS ACL, 102 setting, 91 High Performance File System See HFS, 91 history password, 196 host-based authentication and public key based authentication, 81 used by SSH, 81 HP-UX AAA Server (RADIUS), 203 HP-UX Bastille, 15, 25, 199 defined, 205 HP-UX Containers SRP, 200 HP-UX Directory Server, 204 HP-UX EVFS, 201 HP-UX HIDS, 199 HP-UX installation installing security patches, 26 postinstallation security tips, 26 preventing security breaches during booting, 23 security considerations, 23 setting install-time security options, 25 HP-UX IPFilter, 200 HP-UX IPSec, 201 HP-UX LDAP-UX, 204 HP-UX RBAC architecture, 149 auditing, 188 commands, 148 wrapping, 154 components, 146 configuration files, 147 configuring Compartments, 162 default user, 156 manpages, 148 operation, 150 troubleshooting, 168 HP-UX Secure Shell, 202 HP-UX Security Patches, 200 HP-UX TCS, 202 I IKE (Internet Key Exchange) protocol, 207 inetd daemon overview of, 70 securing, 71 TCP wrappers and, 72 Install-Time Security, 25 installing HP-UX installing security patches after, 26 postinstallation security tips, 26 preventing security breaches during booting, 23 security considerations, 23 setting install-time security options, 25 installing security patches using Software Assistant, 26 Internet daemon See inetd daemon, 70 Internet Services, 67 overview of, 67 IPSec policy definition, 208 J JFS, 91 JFS ACL and NFS, 103 changing with setacl command, 100 compared with HFS ACL, 102 example of changing a minimal, 98 setting, 95 using default entries, 99 Journaled File System See JFS, 91 L last command examples of using, 33 LDAP directory server securing passwords stored in, 46 lifetime password aging, 195 log file audit, 179 logical volume 215 security considerations for, 104 Logical Volume Manager See LVM, 104 login banners securing, 57 login command, 32, 193 login process explanation of, 32 login tracking file, 33 lost+found directory, 27, 198 LVM, 104 M MAC, 208 managing file access, 87 managing passwords, 41 minimum time password aging, 195 mobile connection securing, 56 modem access security guidelines for managing, 55 mounting a file system securely, 104 N network administration, 75 controlling file security, 106 managing an administrative domain, 74 network control file checking permissions on, 106 verifying permissions on, 75 NFS, 106 and ACLs, 103 protecting NFS-mounted files, 107 securing the client, 107 securing the server, 107 NIS securing passwords stored in, 46 O operations guidelines for creating, 153 P PAM authenticating users with, 34 configuring systemwide, 37 overview of, 35 PAM authentication login example, 39 PAM library, 36 PAM service module, 35 parameter PASSWORD_HISTORY_DEPTH, 196 passwd command, 194 216 Index examples of, 42 password, 195 aging, 192, 194, 195 expiration time, 195 lifetime, 195 minimum time, 195 authentication used by SSH, 81 criteria of a good, 42 database, 191, 192, 194 /tcb/files/auth/, 192, 193 encrypted field, 194 encryption, 193 entry manipulating, 197 file fields, 193 protected password database, 191, 192, 194 generation, 195 history, 196 integrity, 193 management, 41 reuse, 196 security, 192 shadow, 43 types of, 195 PASSWORD_HISTORY_DEPTH parameter, 196 patch installation using Software Assistant, 26 Perfect Forward Secrecy (PFS) defined, 209 permissions checking network control file, 106 verifying for network control files, 75 power failure, 27, 198 file loss, 27 preshared keys definition, 209 primary audit log file, 180 privedit, 165 options, 166 syntax, 166 privrun, 163 -p, 161 examples, 164 operation, 150 options, 163 syntax, 163 protected password database /tcb/files/auth/, 192, 193 prpwd, 194 pseudo-account example of, 45 public key based authentication and host-based authentication, 81 used by SSH, 81 putprpwnam function, 197 putpwent function, 197 putspwent function, 197 R random number generator, 83 recovery security guidelines for, 26 remote access security guidelines for managing, 55 Remote Access Services, 67 overview of, 67 remote procedure call See RPC, 73 remote sessions securing using SSH, 76 reuse password, 196 roleadm, 155 examples, 156 syntax, 155 roles configuring, 155 default, 156 groups, 157 guidelines for creating, 152 root drawbacks of, 143 root access gaining, 24 monitoring, 58 reviewing, 59 using Restricted SMH Builder for limited, 58 root account protecting, 58 RPC and TCP wrappers, 73 RSA cryptosystem, 209 rsh command limiting system access with, 30 run level changing, 53 controlling access with, 53 S screen lock configuring, 54 Sec00Tools security level, 25 Sec20MngDMZ security level, 25 Sec30DMZ security level, 25 Secure Shell see SSH, 76 securing remote sessions, 76 security attribute defining, 46, 62 security level choosing during installation, 25 security patch installing, 26 SecurityMon file set, 192 selection and generation, 195 self-auditing program, 187 set group ID program See setgid programs, 50 set user ID program See setuid programs, 50 setacl command changing ACLs with, 97 changing JFS ACLs with, 100 setfilexsec command, 113, 132 setgid programs, 27, 198 managing, 50 setuid programs, 27, 198 managing, 50 shadow password, 43 single-user mode booting into, 24 SIS, 73 Software Assistant using, 26 spoofing defined, 70 protecting against using TCP wrappers, 72 SSH, 46 associated technologies, 83 authentication, 76, 80 encryption, 76 features, 76 GSS-API, 80 HP-UX system, 82 password authentication, 81 port forwarding, 77 privileged mode execution, 79 public key based authentication, 81 running, 78 running scp client, 79 running sftp client, 79 running ssh client, 78 securing remote sessions, 76 software components, 77 strong random number generator, 83 support for TCP wrappers, 83 SSH-1 protocol, 82 SSH-2 protocol, 82 stack buffer overflow protection, 52 sticky bit setting, 89 strong random number generator, 83 superuser access monitoring, 58 protecting, 58 reviewing, 59 using Restricted SMH Builder for limited, 58 swlist command, 192 217 system access security guidelines for remote, 55 system administration auditing guidelines, 176 auditing users, 171 authenticating users during login, 31 authenticating users using PAM, 34 backup guidelines, 26 controlling file security on a network, 106 defining security attributes, 46, 62 installing HP-UX securely, 23 installing security patches, 26 managing an administrative domain, 74 managing passwords, 41 managing remote access, 55 managing setuid and setgid programs, 50 managing user access, 29 mounting and unmounting a file system securely, 104 preventing stack buffer overflow attacks, 52 protecting root acess, 58 protecting unattended workstations and terminals, 53 securing FTP, 68 securing inetd, 71 securing Internet Services, 67 securing login banners, 57 securing the HP-UX file system, 87 security breaches , 23 setting install-time security options, 25 using boot authentication to prevent unauthorized access, 25 system run level changing, 53 controlling access with, 53 system security defining security attributes, 46, 62 T TCP wrappers and SSH, 83 protecting against spoofing with, 72 telephone securing, 56 temporary account disabling, 30 terminal configuring screen lock for, 54 protecting unattended, 53 terminal access, 195 terminal control database trusted system, 197 terminal device file protecting, 54 time-based access control, 196 TMOUT variable configuring, 54 trusted, 195 trusted password, 195 trusted password database, 197 218 Index trusted system converting from, 192 converting to, 191 databases, 197 U umask command changing default file permissions with, 89 unique user name importance of, 32 unmounting a file system securely, 104 user access managing, 29 user account restricted, 30 user authentication during login, 31 PAM login example, 39 using PAM, 34 user ID (uid), 194, 195 user name creating unique, 32 user security managing, 29 userdbset command examples of defining user attributes with, 49 V /var/adm/inetd.sec, 72 verifying permissions on network control files, 75 W who command obtaining user login information with, 34 workstation protecting unattended, 53 wtmp file tracking successful logins with, 33 WU-FTPD, 69
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : No Title : HP-UX System Administrator's Guide: Security Management Creator : Unknown Author : Hewlett-Packard Company Producer : XEP 4.7 build 20060908 Trapped : False Create Date : 2011:07:19 16:23:16 Modify Date : 2011:07:19 16:23:16 Page Count : 218 Page Mode : UseOutlinesEXIF Metadata provided by EXIF.tools