13    Security Integration Architecture

This chapter describes the Tru64 UNIX security framework called the Security Integration Architecture (SIA). The chapter discusses the following topics:

• Overview of the SIA

• Supported security configurations

• SIA's matrix.conf file

• Installation and deletion of layered security products

13.1    SIA Overview

All security authentication mechanisms that run on the Tru64 UNIX operating system run under the Security Integration Architecture (SIA) layer. The SIA allows you to layer various local and distributed security authentication mechanisms onto Tru64 UNIX with no modification to the security-sensitive Tru64 UNIX commands, such as login, su, and passwd. The SIA isolates the security-sensitive commands from the specific security mechanisms, thus eliminating the need to modify them for each new security mechanism.

Any time a security mechanism is installed or deleted, the SIA is involved. You do not need to be concerned about the SIA layer if you do not install security products. Each time that a security-sensitive command is invoked, the SIA layer serves as an interface to code that depends upon security mechanisms.

Figure 13-1:  Security Integration Architecture

13.2    Supported Security Configurations

The Tru64 UNIX operating system currently provides standard Berkeley security (BASE), which is limited to /etc/passwd local security with NIS extensions, and the optional enhanced security (ENHANCED), which includes enhanced password features (audit capability and ACLs can be enabled separately from enhanced security).

13.3    matrix.conf Files

The security configuration file that selects the appropriate installed security mechanism is the matrix.conf file. The system is provided with a default base (BSD) security matrix.conf file (/etc/sia/matrix.conf). The siacfg utility is used to automatically update matrix.conf for additional security mecahanisms. Example 13-1 shows the default BSD matrix.conf (/etc/sia/matrix.conf) file:

Example 13-1:  Default /etc/sia/matrix.conf File

siad_init=(BSD,libc.so)
siad_chk_invoker=(OSFC2,libsecurity.so)
siad_ses_init=(OSFC2,libsecurity.so)
siad_ses_authent=(OSFC2,libsecurity.so)
siad_ses_estab=(OSFC2,libsecurity.so)
siad_ses_launch=(OSFC2,libsecurity.so)
siad_ses_suauthent=(OSFC2,libsecurity.so)
siad_ses_reauthent=(OSFC2,libsecurity.so)
siad_chg_finger=(OSFC2,libsecurity.so)
siad_chg_password=(OSFC2,libsecurity.so)
siad_chg_shell=(OSFC2,libsecurity.so)
siad_getpwent=(BSD,libc.so)
siad_getpwuid=(BSD,libc.so)
siad_getpwnam=(BSD,libc.so)
siad_setpwent=(BSD,libc.so)
siad_endpwent=(BSD,libc.so)
siad_getgrent=(BSD,libc.so)
siad_getgrgid=(BSD,libc.so)
siad_getgrnam=(BSD,libc.so)
siad_setgrent=(BSD,libc.so)
siad_endgrent=(BSD,libc.so)
siad_ses_release=(OSFC2,libsecurity.so)
siad_chk_user=(OSFC2,libsecurity.so)

See the matrix.conf(4) and siacfg(8)reference pages for more information.

13.4    Installing a Layered Security Product

Detailed instructions for installing layered security products are provided by the layered product. In general, you install a layered security product as follows:

1. Install the layered security product as described in the product's installation procedure.

2. Change directory to /etc/sia.

3. Run the siacfg utility.

4. Reboot your system.

13.5    Installing Multiple Layered Security Products

The Tru64 UNIX operating system supports the installation of multiple security products.

Detailed instructions for installing multiple layered security products is provided by the layered products. In general, you install multiple layered security products as follows:

1. Bring the system down to single-user mode using the /usr/sbin/shutdown now command.

2. Install the first layered security product as described in the product's installation procedure.

3. Install the subsequent layered security product, as described in the product's installation procedure.

4. Change directory to /etc/sia.

5. Run the siacfg utility for each layered security product.

6. Reboot your system.

13.6    Removing Layered Security Products

To remove a layered security product from your system, perform the following steps:

1. Verify that the installed layered security product has not changed the BSD security mechanism or associated files. This information is usually described in the documentation that came with the product.

   Note

   If the BSD security mechanism cannot be restored (for example, the /etc/passwd file has been deleted), then the operating system must be reinstalled and reconfigured.

2. Bring the system down to single-user mode using the /usr/sbin/shutdown now command.

3. Remove the link to the layered security product's matrix.conf file using the siacfg -r command.

4. Reboot your system.

Example 13-2 shows how to delete a DCE layered security product and return to BASE security.

Example 13-2:  Changing a Layered Security Product

# /usr/sbin/shutdown now
# /sbin/siacfg -r DCE
# /sbin/siacfg -l BSD libc.so
# /usr/sbin/reboot

13.7    SIA Logging

SIA will optionally record the success and failure of security-related commands in the /var/adm/sialog file. If the file exists, log entries are made by SIA. This procedure is recommended for debugging only.