The Tru64 UNIX operating system is delivered with an enhanced security optional subset and other optional security features. When the enhanced security subset subset is installed and configured, the system is referred to as a trusted system. The enhanced security features result in a system that can be configured to meet the C2 class of trust, as defined by the Trusted Computer System Evaluation Criteria (TCSEC, also called the Orange Book). The system also meets the F-C2 functional class as defined in the Information Technology Security Evaluation Criteria (ITSEC).
Although many of the requirements for maintaining the security of the
trusted Tru64 UNIX system are the responsibility of your site's administrative
staff, you have a responsibility, as a user of the system, to help enforce
the security provided by the system.
This chapter explains system capabilities
and user responsibilities.
1.1 Security Features
The Tru64 UNIX system without the enhanced security subset installed provides traditional UNIX security, as described in the Tru64 UNIX manuals. Traditional UNIX security at the user level consists of basic login identification, authentication (password checking) and file permissions (discretionary access controls (DAC)). The following sections describe how enhanced security and the other optional security features extend traditional security.
The presence of the protected password daemon (/usr/bin/prpasswdd) indicates that enhanced security is enabled.
To determine which
of the security features are running on your system, see your system administrator.
1.1.1 Login Control Enhancements
Enhanced security features for login control may include the following:
Recording of the last terminal used for a successful login
Recording of the time of the last successful login
Recording of the time of the last unsuccessful login attempt
Recording of the number of consecutive unsuccessful login attempts
Recording of the terminal used for the last unsuccessful login attempt
Automatic account lockout after a specified number of consecutive bad access attempts
A per-terminal setting for the delay between consecutive login attempts, and the maximum amount of time each attempt is allowed to complete the login before being declared a failed attempt
A per-terminal setting for the maximum consecutive failed login attempts before locking any new accesses from that terminal
Display information about last successful and last unsuccessful login attempts at login time.
Enhanced security provides the following features for password control:
Configurable maximum password length, up to 80 characters
Configurable password lifetimes
Variable minimum password length
System-generated passwords that take the form of a pronounceable password made up of meaningless syllables, an unpronounceable password made up of random characters from the character set, or an unpronounceable password made up of random letters from the alphabet (all letters are from ASCII)
Per-user password generation flags, which include the ability to require a user to have a system-generated password
Record of who (besides the user) last changed the user's password
Password usage history
One of the most useful security features of a Tru64 UNIX system is the audit subsystem, which an administrator can use to hold users accountable for their actions. The audit subsytem can record every relevant security event that happens on the system (for example, each file open, file creation, login, and print job submitted).
Each action is also stamped with an immutable audit ID (AUID) of the user who logged on, which allows all actions to be traced directly to a user. Users, by request to the system administrator, can use the audit trail to help re-create past events that affect the security of their accounts and data.
Users have no direct interaction with with the audit subsystem. The audit feature is discussed in detail in Chapter 10.
Audit is a kernel option and is available without the enhanced security
subsets installed.
1.1.4 ACLs
Users on a Tru64 UNIX system can provide access granularity on files
and directories down to a single user by using the optional Access Control
List (ACL).
An ACL can be associated with any file or directory on systems
with file systems that support property lists.
An ACL allows users to specify
exactly how they want their files protected.
See
Chapter 5
for information on using ACLs.
1.2 User Accountability
A trusted system holds all users accountable for the actions that they
perform on the system.
When you log in, the system associates an audit ID
(AUID) with your processes;
the AUID remains stamped on processes regardless of the program
being run.
Even if you change your real or effective user ID (for example,
by using
su
to become root or another user), the system
still knows which authenticated user caused a specific action based on the
identity recorded in the indelible AUID.
The system maintains an extensive authentication profile describing the characteristics and capabilities of each user - for example, the particular login restrictions on the user.
It is extremely difficult for an unauthorized user to break into a trusted
system because of the extra security features added to the login procedure.
In addition, in a trusted system you can more easily detect a penetration
or attempted penetration into your account.
Note, however, that these additional
assurances are useless if you do not protect your password.
1.3 User Responsibilities
As a user of a trusted system, you must help protect the information that is stored and processed on the system. Specifically, you must do the following:
Guard your password to protect against unaccountable access to your account.
Apply strict discretionary access controls, including the use of access control lists, to protect your data from disclosure or destruction.
Report all suspect activity to the system administrator, so that past events can be analyzed through the audit trail.
A trusted Tru64 UNIX system provides tools and mechanisms that help the system maintain the level of trust for which the system was designed. These are described in subsequent chapters.