The Information System Security Officer (ISSO) is traditionally responsible
for assigning the devices that are included in the system's trusted computing
base (TCB) and for defining the security characteristics of those devices.
On a Tru64 UNIX system root access is required to assign devices.
The trusted Tru64 UNIX
system supports terminals as part of the TCB.
This chapter describes
how to define those devices in a secure system.
8.1 Defining Security Characteristics
The ISSO traditionally defines the security
characteristics of all the terminals that are part of the system using the
dxdevices
program.
To do this, the ISSO performs the following tasks:
Creates and maintains device-specific information. The ISSO can override system defaults for an individual device, where appropriate, to grant additional rights or to impose additional restrictions. The ISSO can also lock a terminal to prevent use.
Sets default control parameters for the devices that are included in the system's secure configuration. The system defaults for terminals are as follows:
Maximum number of unsuccessful login attempts is 10.
Login timeout as shipped is unset, which implicitly defaults to 0 which is treated as infinite.
Delay between unsuccessful login attempts is 2 seconds.
The ISSO is usually responsible for ensuring that all device assignments, whether they are set explicitly or by default, conform to a site's security requirements.
Before you create or modify a secure device, all of the typical device
installation procedures required
during ordinary system hardware and software
installation must be completed.
The special files for devices must exist in
the
/dev
directory and have the appropriate permissions.
The special files for terminals must be owned by
root,
have the group set to
tty, and have the mode set to
0620.
You can verify that the installation has been completed with the
ls
command.
The following example is typical:
#ls -lg /dev/tty*crw---------- 1 root tty 0, 2 Aug 15 09:29 /dev/tty00crw---------- 1 root tty 0, 3 Aug 15 09:29 /dev/tty01
8.1.1 Modifying, Adding, and Removing Devices with the dxdevices Program
Using the Devices dialog box, select the Modify/Create dialog box then
the Select devices dialog box.
To add or remove a device, first select or
enter the device, then click on File to make the required changes.
To modify
a device, first select the device, then click on Modify to make the required
changes.
See the online help for
dxdevices
for more information.
8.1.2 Setting Default Values with the dxdevices Program
Using the Devices dialog box, select the Defaults dialog box.
Set the
system defaults for all of your terminals as required.
A terminal uses these
defaults unless specifically overridden by settings in the Modify Terminal
dialog box.
See the online help for
dxdevices
for more
information.
8.2 Updating Security Databases
When you assign device defaults or device-specific parameters, the system updates the following security databases:
The system defaults database,
/etc/auth/system/default, contains the default values (for example,
default
control parameters) for all system devices.
The device assignment database,
/etc/auth/system/devassign, contains device-specific values for system devices.
The terminal control database,
/etc/auth/system/ttys.db, contains device-specific values for authentication (for example,
the number of failed login attempts).
Each device to be used in your secure configuration must have an entry
in the device assignment database.
This database centralizes information about
the security characteristics of all system devices.
It includes the device
pathname and type.
By default a wildcard entry exists for terminals (but not
X displays) in the
/etc/auth/system/ttys.db
and
/etc/auth/system/devassign
databases.
The X display entries shipped on the system
have
:t_login_timeout#0:
entries in them, in case a site
changes its system default login timeout.
If wildcard X display entries are
needed, they can be created as follows:
#echo \\'*\:*:t_devname=*\:*:t_login_timeout#0:t_xdisplay:chkent:\' \| /tcb/bin/edauth -s -dt#echo \'*\:*:v_type=xdisplay:chkent:\' | /tcb/bin/edauth -s -dv