| Title and Copyright Information |
| About This Manual |
| Audience |
| New and Changed Features |
| Organization |
| Related Documentation |
| Reader's Comments |
| Conventions |
| Part 1 -- User's Guide to Security |
| 1 | Introduction for Users |
| 1.1 | Security Features |
| 1.1.1 | Login Control Enhancements |
| 1.1.2 | Password Enhancements |
| 1.1.3 | Audit Subsystem |
| 1.1.4 | ACLs |
| 1.2 | User Accountability |
| 1.3 | User Responsibilities |
| 2 | Getting Started |
| 2.1 | Logging In |
| 2.1.1 | Authentication Profile |
| 2.1.2 | Other Login Restrictions |
| 2.2 | Setting Your Password |
| 2.2.1 | Choosing Your Own Password |
| 2.2.2 | Choosing a System-Generated Password |
| 2.2.3 | Understanding Password Aging |
| 2.3 | Using the su Command |
| 2.4 | Password Security Tips |
| 2.5 | Login and Logout Security Tips |
| 2.6 | Problem Solving |
| 2.6.1 | Passwords |
| 2.6.2 | Background Jobs |
| 2.6.3 | Sticky Directories |
| 2.6.4 | SUID/SGID Clearing |
| 2.6.5 | Access Control Lists |
| 2.6.6 | If You Cannot Log In |
| 3 | Connecting to Other Systems |
| 3.1 | The TCP/IP Commands |
| 3.1.1 | The rlogin, rcp, and rsh Commands |
| 3.1.2 | The hosts.equiv File |
| 3.1.3 | The .rhosts File |
| 3.1.4 | The ftp Command |
| 3.1.5 | The tftp Command |
| 3.1.6 | Remote Connection Security Tips |
| 3.2 | LAT Commands |
| 3.3 | The UUCP Utility |
| 3.3.1 | The uucp Command |
| 3.3.2 | The tip and cu Commands |
| 3.3.3 | The uux Command |
| 3.4 | The dlogin, dls, and dcp Commands |
| 4 | Common Desktop Environment |
| 4.1 | External Access to Your Display |
| 4.2 | Controlling Network Access to Your Workstation |
| 4.2.1 | Host Access Control List |
| 4.2.2 | Authorization Data |
| 4.2.3 | Using the X Authority File Utility |
| 4.3 | Protecting Screen Information |
| 4.4 | Blocking Keyboard and Mouse Information |
| 4.5 | Pausing Your Workstation |
| 4.6 | Workstation Physical Security |
| 5 | Using ACLs on Files and Directories |
| 5.1 | Traditional UNIX File Permissions |
| 5.2 | Why Use ACLs? |
| 5.3 | ACL Status on Your System |
| 5.4 | Setting and Viewing ACLs |
| 5.4.1 | Using the dxsetacl Interface |
| 5.4.2 | Using the setacl Command |
| 5.4.3 | Using the getacl Command |
| 5.4.4 | ACLs and the ls Command |
| 5.5 | ACL Structure |
| 5.6 | Access Decision Process |
| 5.7 | ACL Inheritance |
| 5.7.1 | Inheritance Matrix |
| 5.7.2 | ACL Inheritance Examples |
| 5.8 | Interaction of ACLs with Commands, Utilities, and Applications |
| Part 2 -- Administrator's Guide to Security |
| 6 | Introduction for Administrators |
| 6.1 | Frequently Asked Questions About Trusted Systems |
| 6.2 | Defining a Trusted System |
| 6.3 | Enhanced Security Features |
| 6.3.1 | Audit Features |
| 6.3.2 | Identification and Authentication (I and A) Features |
| 6.3.3 | Access Control Lists (ACLs) |
| 6.3.4 | Integrity Features |
| 6.3.5 | Security db Utilities |
| 6.4 | Graphical Administration Utilities |
| 6.4.1 | Installing and Configuring Enhanced Security |
| 6.5 | Administrating the Trusted Operating System |
| 6.5.1 | Traditional Administrative Roles |
| 6.5.1.1 | Responsibilities of the Information Systems Security Officer |
| 6.5.1.2 | Responsibilities of the System Administrator |
| 6.5.1.3 | Responsibilities of the Operator |
| 6.5.2 | Protected Subsystems |
| 6.5.2.1 | Enhanced (Protected) Password Database |
| 6.5.2.2 | System Defaults Database |
| 6.5.2.3 | Terminal Control Database |
| 6.5.2.4 | File Control Database |
| 6.5.2.5 | Device Assignment Database |
| 6.6 | Enhanced Security in a Cluster Environment |
| 6.6.1 | Installation Time Configuration |
| 6.6.2 | Postinstallation Configuration |
| 7 | Setting Up the Trusted System |
| 7.1 | Installation Notes |
| 7.1.1 | Full Installation |
| 7.1.2 | Update Installation |
| 7.2 | Segment Sharing |
| 7.3 | Installation Time Setup for Security |
| 7.4 | The secconfig Utility |
| 7.4.1 | Setup Questions |
| 7.4.2 | Invoking secconfig |
| 7.5 | Configuring Security Features |
| 7.5.1 | Configuring Audit |
| 7.5.2 | Configuring ACLs |
| 7.5.3 | Configuring Enhanced Authentication with NIS |
| 7.5.4 | Authentication Features Configuration |
| 7.5.4.1 | Aging |
| 7.5.4.2 | Minimum Change Time |
| 7.5.4.3 | Changing Controls |
| 7.5.4.4 | Maximum Login Attempts |
| 7.5.4.5 | Time Between Login Attempts |
| 7.5.4.6 | Time Between Logins |
| 7.5.4.7 | Per-Terminal Login Records |
| 7.5.4.8 | Successful Login Logging |
| 7.5.4.9 | Failed Login Logging |
| 7.5.4.10 | Automatic Enhanced Profile Creation |
| 7.5.4.11 | Vouching |
| 7.5.4.12 | Encryption |
| 7.6 | System Administrator Tasks |
| 7.7 | ISSO Tasks |
| 7.7.1 | Check System Defaults |
| 7.7.2 | Modifying a User Account |
| 7.7.3 | Assigning Terminal Devices |
| 7.7.4 | Setting Up Auditing |
| 7.8 | Backing the System Up |
| 8 | Creating and Modifying Secure Devices |
| 8.1 | Defining Security Characteristics |
| 8.1.1 | Modifying, Adding, and Removing Devices with the dxdevices Program |
| 8.1.2 | Setting Default Values with the dxdevices Program |
| 8.2 | Updating Security Databases |
| 9 | Creating and Maintaining Accounts |
| 9.1 | Authentication Subsystem |
| 9.1.1 | Local User Account Databases |
| 9.1.1.1 | Local Database: Base Security |
| 9.1.1.2 | Local Database: Enhanced Security |
| 9.1.1.3 | Templates For User Accounts |
| 9.1.2 | Distributing User Account Databases with NIS |
| 9.1.2.1 | Distributed Databases: NIS and Base Security |
| 9.1.2.2 | Distributed Databases: NIS and Enhanced Security |
| 9.1.2.3 | Templates for NIS Accounts |
| 9.2 | Using dxaccounts for User Account Administration |
| 9.2.1 | Creating Local or NIS Groups |
| 9.2.2 | Creating Local or NIS User Accounts |
| 9.2.3 | Retiring Local or NIS Accounts (Enhanced Security Only) |
| 9.2.4 | Deleting Local or NIS Accounts (Base Security Only) |
| 9.2.5 | Modifying the Local or NIS Account Template |
| 9.2.6 | Modifying Local or NIS User Accounts |
| 9.3 | Using Commands for User Account Administration |
| 9.3.1 | Creating Local or NIS Groups |
| 9.3.2 | Creating Local or NIS User Accounts |
| 9.3.3 | Retiring Local or NIS Accounts (Enhanced Security Only) |
| 9.3.4 | Deleting Local or NIS Accounts (Base Security Only) |
| 9.3.5 | Modifying Local or NIS User Accounts |
| 9.4 | Other Commands Associated with User Account Administration |
| 9.5 | NIS and Enhanced Security |
| 9.5.1 | Setting Up a NIS Master with Enhanced Security |
| 9.5.1.1 | Manual Procedure: Maps for Small User Account Databases |
| 9.5.1.2 | Automated Procedure: Maps for Large User Account Databases |
| 9.5.2 | Setting Up a NIS Slave Server with Enhanced Security |
| 9.5.3 | Setting Up a NIS Client with Enhanced Security |
| 9.5.4 | Moving Local Accounts to NIS |
| 9.5.5 | Removing NIS Support |
| 9.5.6 | Implementation Notes |
| 9.5.7 | Troubleshooting NIS |
| 10 | Administering the Audit Subsystem |
| 10.1 | Overview of Auditing |
| 10.1.1 | Audit Files |
| 10.1.2 | Audit Tools |
| 10.1.2.1 | Command-Line Interface |
| 10.1.2.2 | Graphical Interface |
| 10.2 | Basic Audit Configuration |
| 10.3 | Advanced Configuration of Audit |
| 10.4 | Audit Commands |
| 10.4.1 | Configuring the Audit Subsystem: the |
| 10.4.2 | Selecting Events to Audit: The |
| 10.4.3 | Producing Audit Reports: The |
| 10.5 | What to Audit |
| 10.5.1 | Trusted Events |
| 10.5.2 | Site-Defined Audit Events |
| 10.5.3 | Dependencies Among Audit Events |
| 10.6 | Managing the Volume of Audit Data |
| 10.6.1 | Before the Audit Data Is Collected |
| 10.6.1.1 | Audit Masks and Control Flags |
| 10.6.1.2 | Event Aliases |
| 10.6.1.3 | Object Selection and Deselection |
| 10.6.1.4 | Audit Profiles and Categories |
| 10.6.1.5 | Audit Subsystem Startup Defaults |
| 10.6.2 | After the Data Has Been Collected |
| 10.6.2.1 | Audit Log Trim Procedures |
| 10.7 | Auditing Across a Network |
| 10.8 | Contents of Audit Records |
| 10.8.1 | Additional Entries in Audit Records |
| 10.8.2 | Example Audit Record |
| 10.8.3 | Abbreviated Audit Records |
| 10.9 | More About Generating Audit Reports |
| 10.9.1 | Filtering Out Specific Audit Records |
| 10.9.2 | Targeting Active Processes |
| 10.10 | Audit Data Recovery |
| 10.11 | Implementation Notes |
| 10.12 | Responding to Audit Reports |
| 10.13 | Using Audit to Trace System Calls |
| 10.13.1 | Tracing a Process |
| 10.13.2 | Reading the Trace Data |
| 10.13.3 | Modifying the Kernel to Get More Data for a System Call |
| 10.14 | Traditional UNIX Logging Tools |
| 11 | Administering ACLs |
| 11.1 | ACL Subsystem Overview |
| 11.2 | Administration Tasks |
| 11.3 | Installing ACLs |
| 11.3.1 | Enabling and Disabling ACLs |
| 11.3.2 | Enabling ACLs On NFS |
| 11.4 | Recovery |
| 11.5 | Standalone System Support |
| 11.6 | Archival Tool Interaction with ACLs |
| 11.6.1 | pax and tar |
| 11.6.2 | dump and restore |
| 11.7 | ACL Size Limitations |
| 12 | Ensuring Authentication Database Integrity |
| 12.1 | Composition of the Authentication Database |
| 12.2 | Running the authck Program |
| 12.3 | Adding Applications to the File Control Database |
| 12.4 | Recovery of /etc/passwd Information |
| 13 | Security Integration Architecture |
| 13.1 | SIA Overview |
| 13.2 | Supported Security Configurations |
| 13.3 | matrix.conf Files |
| 13.4 | Installing a Layered Security Product |
| 13.5 | Installing Multiple Layered Security Products |
| 13.6 | Removing Layered Security Products |
| 13.7 | SIA Logging |
| 14 | Trusted System Troubleshooting |
| 14.1 | Lock Files |
| 14.2 | Required Files and File Contents |
| 14.2.1 | The /tcb/files/auth.db Database |
| 14.2.2 | The /etc/auth/system/ttys.db File |
| 14.2.3 | The /etc/auth/system/default File |
| 14.2.4 | The /etc/auth/system/devassign File |
| 14.2.5 | The /etc/passwd File |
| 14.2.6 | The /etc/group File |
| 14.2.7 | The /sbin/rc[023] Files |
| 14.2.8 | The /dev/console File |
| 14.2.9 | The /dev/pts/* and /dev/tty* Files |
| 14.2.10 | The /sbin/sulogin File |
| 14.2.11 | The /sbin/sh File |
| 14.2.12 | The /vmunix File |
| 14.3 | Problems Logging In or Changing Passwords |
| Part 3 -- Programmer's Guide to Security |
| 15 | Introduction for Programmers |
| 15.1 | Libraries and Header Files |
| 15.2 | Standard Trusted System Directories |
| 15.3 | Security Relevent System Calls and Library Routines |
| 15.3.1 | System Calls |
| 15.3.2 | Library Routines |
| 15.4 | Defining the Trusted Computing Base |
| 15.5 | Protecting TCB Files |
| 15.5.1 | Secure Applications |
| 16 | Trusted Programming Techniques |
| 16.1 | Writing SUID and SGID Programs |
| 16.2 | Handling Errors |
| 16.3 | Protecting Permanent and Temporary Files |
| 16.4 | Specifying a Secure Search Path |
| 16.5 | Responding to Signals |
| 16.6 | Using Open File Descriptors with Child Processes |
| 16.7 | Security Concerns in X Environment |
| 16.7.1 | Protect Keyboard Input |
| 16.7.2 | Block Keyboard and Mouse Events |
| 16.7.3 | Protect Device-Related Events |
| 16.8 | Protecting Shell Scripts |
| 17 | Authentication Database |
| 17.1 | Accessing the Databases |
| 17.2 | Database Components |
| 17.2.1 | Database Form |
| 17.2.2 | Reading and Writing a Database |
| 17.2.2.1 | Buffer Management |
| 17.2.2.2 | Reading an Entry by Name or ID |
| 17.2.2.3 | Reading Entries Sequentially |
| 17.2.2.4 | Using System Defaults |
| 17.2.2.5 | Writing an Entry |
| 17.3 | Device Assignment Database (devassign) |
| 17.4 | File Control Database (file) |
| 17.5 | System Default Database (default) |
| 17.6 | Enhanced (Protected) Password Database (prpasswd or auth) |
| 17.7 | Terminal Control Database (ttys) |
| 18 | Identification and Authentication |
| 18.1 | The Audit ID |
| 18.2 | Identity Support Libraries |
| 18.3 | Using Daemons |
| 18.4 | Using the Enhanced (Protected) Password Database |
| 18.5 | Example: Password Expiration Program |
| 18.6 | Password Handling |
| 19 | Audit Record Generation |
| 19.1 | Introduction |
| 19.2 | Audit Events |
| 19.3 | Audit Records and Tokens |
| 19.3.1 | Public Tokens |
| 19.3.2 | Private Tokens |
| 19.4 | Audit Flag and Masks |
| 19.5 | Disabling System-Call Auditing for the Current Process |
| 19.6 | Modifying System-Call Auditing for the Current Process |
| 19.7 | Application-Specific Audit Records |
| 19.8 | Site-Defined Events |
| 19.8.1 | Sample site_events File |
| 19.8.2 | Example - Generating an Audit Record for a Site-Defined Audit Event |
| 19.9 | Creating Your Own Audit Logs |
| 19.10 | Parsing an Audit Log |
| 19.10.1 | Overview of Audit Log Format and List of Common Tuples |
| 19.10.2 | Binary Audit Log Record Format |
| 19.10.3 | Token/Tuple Byte Descriptions |
| 19.10.4 | Parsing Tuples |
| 20 | Using the SIA Interface |
| 20.1 | Overview |
| 20.2 | SIA Layering |
| 20.3 | System Initialization |
| 20.4 | Libraries |
| 20.5 | Header Files |
| 20.6 | SIAENTITY Structure |
| 20.7 | Parameter Collection |
| 20.8 | Maintaining State |
| 20.9 | Return Values |
| 20.10 | Debugging and Logging |
| 20.11 | Integrating Security Mechanisms |
| 20.12 | Session Processing |
| 20.12.1 | Session Initialization |
| 20.12.2 | Session Authentication |
| 20.12.3 | Session Establishment |
| 20.12.4 | Session Launch |
| 20.12.5 | Session Release |
| 20.12.6 | Specific Session Processing |
| 20.12.6.1 | The login Process |
| 20.12.6.2 | The rshd Process |
| 20.12.6.3 | The rlogind Process |
| 20.13 | Changing Secure Information |
| 20.13.1 | Changing a User's Password |
| 20.13.2 | Changing a User's Finger Information |
| 20.13.3 | Changing a User's Shell |
| 20.14 | Accessing Security Information |
| 20.14.1 | Accessing /etc/passwd Information |
| 20.14.2 | Accessing /etc/group Information |
| 20.15 | Session Parameter Collection |
| 20.16 | Packaging Products for the SIA |
| 20.17 | Security Mechanism-Dependent Interface |
| 20.18 | Single-User Mode |
| 21 | Programming with ACLs |
| 21.1 | Introduction to ACLs |
| 21.2 | ACL Data Representations |
| 21.2.1 | Internal Data Representation |
| 21.2.1.1 | typedef struct acl *acl_t; |
| 21.2.1.2 | typedef struct acl_entry *acl_entry_t; |
| 21.2.1.3 | typedef uint_t acl_type_t; |
| 21.2.1.4 | typedef uint acl_tag_t; |
| 21.2.1.5 | typedef uint_t acl_perm_t; |
| 21.2.1.6 | typedef acl_perm_t *acl_permset_t; |
| 21.2.1.7 | Contiguous Internal Representation ACL |
| 21.2.2 | External Representation |
| 21.3 | ACL Library Routines |
| 21.4 | ACL Rules |
| 21.4.1 | Object Creation |
| 21.4.2 | ACL Replication |
| 21.4.3 | ACL Validity |
| 21.5 | ACL Creation Example |
| 21.6 | ACL Inheritance Example |
| A | File Summary |
| B | Auditable Events and Aliases |
| B.1 | Default Auditable Events File |
| B.2 | Sample Event Aliases File |
| C | Interoperating with and Migrating from ULTRIX Systems |
| C.1 | Migration Issues |
| C.1.1 | Difference in the audgen System Call |
| C.1.2 | Differences in the audcntl Routine |
| C.1.3 | Changes to the authaudit Routines |
| C.1.4 | Difference in the Authentication Interfaces |
| C.1.5 | Differences in Password Encryption |
| C.1.6 | Trusted Path Unavailable on Tru64 UNIX |
| C.1.7 | Secure Attention Key (SAK) Unavailable on Tru64 UNIX |
| C.2 | Moving ULTRIX Authentication Files to Tru64 UNIX |
| C.2.1 | Converting Shared Authentication Files |
| C.2.2 | Converting Local Authentication Files |
| C.2.3 | After Converting the Authentication Files |
| C.3 | Audit Data Compatibility |
| D | Coding Examples |
| D.1 | Source Code for sia-reauth.c |
| D.2 | Source Code for sia-suauth.c |
| E | Symbol Preemption for SIA Routines |
| E.1 | Overview of the Symbol Preemption Problem |
| E.2 | The Tru64 UNIX Solution |
| E.3 | Replacing the Single-User Environment |
| F | C2 Level Security Configuration |
| F.1 | Evaluation Status |
| F.2 | Establishing a Security Policy |
| F.3 | Minimum C2 Configuration |
| F.4 | Initial Configuration |
| F.4.1 | General Configuration |
| F.4.2 | Enhanced Passwords and Authentication Using secconfig |
| F.4.3 | Libraries |
| F.4.4 | Account Prototypes and Templates |
| F.4.5 | Configuring the Audit Subsystem |
| F.4.6 | Configuring ACLs |
| F.4.7 | Verifying That Your Installation Is Secure |
| F.4.8 | Configuring Network Security |
| F.4.9 | Postinstallation Security Configuration |
| F.4.9.1 | umask for Remote Access |
| F.4.9.2 | Devices |
| F.4.9.3 | Accounts |
| F.4.9.4 | Root Access |
| F.4.10 | Network Configuration |
| F.5 | Physical Security |
| F.6 | Applications |
| F.7 | Periodic Security Administration Procedures |
| F.8 | Documents |
| F.9 | Tools |
| G | Enhanced Security in a Cluster |
| G.1 | Overview of Security in a Cluster |
| G.2 | Enabling Security Features in a Cluster |
| G.2.1 | Access Control Lists |
| G.2.2 | Audit |
| G.2.3 | Authentication |
| G.2.4 | Distributed Logins and NIS |
| G.2.5 | Configuring a NIS Master in a Cluster with Enhanced Security |
| G.3 | Authentication in a Cluster |
| G.4 | Auditing in a Cluster |
| G.4.1 | Cluster Command Examples |
| G.5 | Restrictions |
| G.5.1 | Upgrades |
| G.5.2 | Terminal Logging |
| H | Division of Administrative Privileges |
| H.1 | Assigning System Administration Privileges Using dop |
| H.1.1 | Invoking dop |
| H.1.2 | Using the dop Command Line |
| H.1.2.1 | Launching Privileged Actions (Tasks) |
| H.1.2.2 | Administering the DOP Database |
| H.1.3 | Viewing or Modifying Privileges Using SysMan |
| Glossary |
| Examples |
| 10-1 | Sample Active Auditing Session |
| 13-1 | Default /etc/sia/matrix.conf File |
| 13-2 | Changing a Layered Security Product |
| 18-1 | Password Expiration Program |
| 20-1 | The SIAENTITY Structure |
| 20-2 | The sia.h Interface Definition for Parameter Collection |
| 20-3 | Typical /var/adm/sialog File |
| 20-4 | Session Processing Code for the login Command |
| D-1 | Reauthentication Program |
| D-2 | Superuser Authentication Program |
| E-1 | Preempting Symbols in Single-User Mode |
| Figures |
| 5-1 | File and Directory Permission Fields |
| 10-1 | The Audit Subsystem |
| 10-2 | Audit Report Formats |
| 10-3 | System and Process Audit Mask Interaction |
| 13-1 | Security Integration Architecture |
| 20-1 | SIA Layering |
| 20-2 | SIA Session Processing |
| G-1 | Audit Data Flow in a Cluster |
| Tables |
| 5-1 | Differences Between File and Directory Permissions |
| 5-2 | Example ACL Entries |
| 6-1 | Potential System Threats |
| 6-2 | Traditional Administrative Roles |
| 6-3 | Protected Subsystems |
| 9-1 | Controlling NIS With Local /etc/passwd Overrides |
| 9-2 | NIS Troubleshooting |
| 10-1 | Files Used for Auditing |
| 10-2 | auditd Examples |
| 10-3 | State-Dependent Information |
| 10-4 | System Calls Not Always Audited |
| 10-5 | Traditional UNIX Log Files in /var/adm |
| 15-1 | Standard Trusted System Directories |
| 15-2 | Security-Relevant System Calls |
| 15-3 | Security-Relevant Library Routines |
| 19-1 | Default Tuples Common to Most Audit Records |
| 19-2 | Token/Tuple Byte Descriptions |
| 20-1 | Security Sensitive Operating System Commands |
| 20-2 | SIA Mechanism-Independent Routines |
| 20-3 | SIA Mechanism-Dependent Routines |
| 21-1 | ACL Entry External Representation |
| A-1 | Trusted Computing Base |
| A-2 | Files Not in Trusted Computing Base |
| Index |