Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home

HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
   
 

HP Part Number: 5992-3387

Edition: 4

Published: March 2008

© Copyright 2008 Hewlett-Packard Development Company L.P.

Table of Contents

About this Document
I Protecting Systems
1 Installing the HP-UX Operating Environment Securely
Installation Security Considerations
Preventing Security Breaches During the Boot Process
Enable Login Security for root
Using Boot Authentication to Prevent Unauthorized Access
Setting Install-Time Security Options
Installing Security Patches
Postinstallation Security Tips for Backup and Recovery
2 Administering User and System Security
Managing User Access
Monitoring User Accounts
Monitoring Guest Accounts
Creating Application User Accounts
Managing Group Accounts
Authenticating Users During Login
Explanation of the Login Process
Checking the login Tracking Files (btmp and wtmp)
Checking Who Is Logged In
Authenticating Users with PAM
Overview
PAM Libraries
Systemwide Configuration Using /etc/pam.conf
Sample /etc/pam.conf File
The /etc/pam_user.conf User Configuration File
Examples: How PAM Works for Login
Managing Passwords
System Administrator Responsibilities
User Responsibilities
Criteria of a Good Password
Changing the /etc/passwd Password File
The /etc/shadow Shadow Password File
Eliminating Pseudo-Accounts and Protecting Key Subsystems in /etc/passwd
Secure Login with HP-UX Secure Shell
Securing Passwords Stored in NIS
Securing Passwords Stored in LDAP Directory Server
Defining System Security Attributes
Configuring Systemwide Attributes
Configuring Per-User Attributes
Troubleshooting the User Database
Handling setuid and setgid Programs
Why setuid and setgid Programs Can Be Risky
How IDs Are Set
Guidelines for Limiting Setuid Power
Preventing Stack Buffer Overflow Attacks
Protecting Unattended Terminals and Workstations
Controlling Access Using /etc/inittab and Run Levels
Protecting Terminal Device Files
Configuring the Screen Lock
Protecting Against System Access by Remote Devices
Controlling Access Using /etc/dialups and /etc/d_passwd
Securing Login Banners
Protecting the root Account
Monitoring root Account Access
Using the Restricted SMH Builder for Limited Superuser Access
Reviewing Superuser Access
3 HP-UX Bastille
Features and Benefits
Installing HP-UX Bastille
Using HP-UX Bastille
Using HP-UX Bastille Interactively
Using HP-UX Bastille NonInteractively
Configuring a System
Using HP-UX Bastille to Revert Changes
File Location
Tips and Troubleshooting
Removing HP-UX Bastille
4 HP-UX Standard Mode Security Extensions
Overview
Security Attributes and the User Database
System Security Attributes
Configuring Systemwide Attributes
User Database Components
Configuring Attributes in the User Database
Troubleshooting the User Database
5 Remote Access Security Administration
Overview of Internet Services and Remote Access Services
Securing ftp
Securing Anonymous ftp
Denying Access Using /etc/ftpd/ftpusers
Other Security Solutions for Spoofing
The inetd Daemon
Securing inetd
Protection Against Spoofing with TCP Wrappers
Additional Features of TCP Wrappers
TCP Wrappers Do Not Work with RPC Services
Secure Internet Services
Controlling an Administrative Domain
Verifying Permission Settings on Network Control Files
Securing Remote Sessions Using HP-UX Secure Shell (SSH)
Key Security Features of HP-UX Secure Shell
Software Components of HP-UX Secure Shell
Running HP-UX Secure Shell
HP-UX Secure Shell Privilege Separation
HP-UX Secure Shell Authentication
Communication Protocols
HP-UX Secure Shell and the HP-UX System
Associated Technologies
Strong Random Number Generator Requirement
TCP Wrappers Support
chroot Directory Jail
II Protecting Data
6 File System Security
Controlling File Access
Setting File Access Permissions
Setting File Ownership
Protecting Directories
Protecting Files Related to User Accounts
Locating and Correcting File Corruption Using fsck
Setting Access Control Lists
Using HFS ACLs
HFS ACLs and HP-UX Commands and Calls
Using JFS ACLs
Definition of a JFS ACL
How the System Generates a JFS ACL
Minimal JFS ACL
Additional JFS ACL user and group Entries
JFS ACL group and class Entries
Using the setacl and getacl Commands
Effect of chmod on class Entries
Example of Changing a Minimal JFS ACL
Default JFS ACLs
Changing JFS ACL with the setacl Command
Comparison of JFS and HFS ACLs
JFS and HFS Command and Function Mapping
ACLs and NFS
Security Considerations for /dev Device Special Files
Protecting Disk Partitions and Logical Volumes
Security Guidelines for Mounting and Unmounting File Systems
Controlling File Security on a Network
Check Permission Settings on Network Control Files
Files Mounted in an NFS Environment
7 Compartments
Overview
Compartment Architecture
Default Compartment Configuration
Planning the Compartment Structure
Activating Compartments
Modifying Compartment Configuration
Changing Compartment Rules
Changing Compartment Names
Compartment Components
Compartment Configuration Files
Compartment Commands
Compartment Manpages
Compartment Rules and Syntax
Compartment Definition
File System Rules
IPC Rules
Network Rules
Miscellaneous Rules
Example Rules File
Configuring Applications in Compartments
Troubleshooting Compartments
Using Discover Mode to Generate Initial Compartment Configuration
Compartments in HP Serviceguard Clusters
8 Fine-Grained Privileges
Overview
Fine-Grained Privileges Components
Commands
Manpages
Available Privileges
Configuring Applications with Fine-Grained Privileges
Privilege Model
Compound Privileges
Security Implications of Fine-Grained Privileges
Privilege Escalation
Fine-Grained Privileges in HP Serviceguard Clusters
Troubleshooting Fine-Grained Privileges
III Protecting Identity
9 HP-UX Role-Based Access Control
Overview
Access Control Basics
Simplifying Access Control with Roles
HP-UX RBAC Components
HP-UX RBAC Access Control Policy Switch
HP-UX RBAC Configuration Files
HP-UX RBAC Commands
HP-UX RBAC Manpages
HP-UX RBAC Architecture
HP-UX RBAC Example Usage and Operation
Planning the HP-UX RBAC Deployment
Planning the Roles
Planning Authorizations for the Roles
Planning Command Mappings
HP-UX RBAC Limitations and Restrictions
Configuring HP-UX RBAC
Configuring Roles
Configuring Authorizations
Configuring Additional Command Authorizations and Privileges
Configuring HP-UX RBAC with Fine-Grained Privileges
Configuring HP-UX RBAC with Compartments
Using HP-UX RBAC
Using the privrun Command to Run Applications with Privileges
Using the privedit Command to Edit Files Under Access Control
Customizing privrun and privedit Using the ACPS
Troubleshooting HP-UX RBAC
The rbacdbchk Database Syntax Tool
privrun -v Information
10 Audit Administration
Auditing Components
Commands
Audit Configuration Files
Audit Manpages
Auditing Your System
Planning the Auditing Implementation
Enabling Auditing
Disabling Auditing
Monitoring Audit Files
Performance Considerations
Guidelines for Administering the Auditing System
Auditing Users
Auditing Events
Audit Trails
Configuring Audit Trails
Monitoring and Managing Audit Trails
Viewing Audit Logs
Examples of Using the audisp Command
Self-Auditing
HP-UX RBAC Auditing
Auditing Based on HP-UX RBAC Criteria and the /etc/rbac/aud_filter File
Procedure for Auditing HP-UX RBAC Criteria
A Trusted Systems
Setting Up a Trusted System
Auditing a Trusted System
Managing Trusted Passwords and System Access
Password Files
Password Selection and Generation
Password Aging
Password History and Password Reuse
Time-Based Access Control
Device-Based Access Control
Manipulating the Trusted System Databases
Guidelines for Trusted Backup and Recovery
B Other Security Products
HP-UX HIDS
Security Patches
HP-UX IPFilter
HP-UX Secure Shell
Glossary
Index

List of Figures

2-1 HP-UX Authentication Modules Under PAM
3-1 HP-UX Bastille User Interface
6-1 File and Directory Permission Fields
7-1 Compartment Architecture
9-1 HP-UX RBAC Architecture
9-2 Example Operation After Invoking privrun

List of Tables

3-1 HP-UX Bastille Question Modules
4-1 User Database Configuration Files
4-2 User Database Commands
4-3 User Attributes
4-4 User Database Manpages
5-1 Internet Services Components and Access Verification, Authorization, and Authentication
5-2 Software Components of HP-UX Secure Shell
6-1 Differences Between File and Directory Privileges
6-2 HFS ACL Commands
6-3 HFS ACL System Calls
6-4 Commands and Calls Affecting ACL Entries
6-5 HFS and JFS ACL Equivalents
7-1 Compartment Configuration Files
7-2 Compartment Commands
7-3 Compartment Manpages
8-1 Fine-Grained Privileges Commands
8-2 Fine-Grained Privileges Manpages
8-3 Available Privileges
9-1 Example of Authorizations Per User
9-2 Example of Authorizations Per Role
9-3 HP-UX RBAC Configuration Files
9-4 HP-UX RBAC Commands
9-5 HP-UX RBAC Manpages
9-6 Example Planning Results
10-1 Audit Commands
10-2 Audit Configuration Files
10-3 Audit Manpages
10-4 audevent Command Options

List of Examples

2-1 Pseudo- and Special System Accounts
6-1 Creating an HFS ACL
6-2 Multiple HFS ACL Matches
   


About this Document  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.