This chapter looks at the security features provided by Tru64 UNIX. The first section provides a brief security overview (Section 9.1), after which the following topics are discussed:
Identification and authentication (Section 9.2)
Audit features (Section 9.3)
Discretionary access controls (Section 9.4)
Security administration (Section 9.5)
Object reuse (Section 9.6)
The protected environment for trusted components (Section 9.7)
Integrity features (Section 9.8)
Additional security features (Section 9.9)
Tru64 UNIX offers a range of security configuration options, and can be tailored to the appropriate security level of your installation. The range extends from traditional UNIX security, the default, to the optional enhanced security subsets that, when enabled, satisfy or exceed the requirements of the C2 evaluation class of DoD 5200.28-STD Trusted Computer System Evaluation Criteria (TCSEC), also known as the Orange Book.
For specific information, see the
Security
manual.
9.2 Identification and Authentication
Security Integration Architecture (SIA) allows a single set of identification and authentication (I and A) utilities to work in both base mode (as a nontrusted system) and in enhanced mode.
Base mode is the default and enhanced mode is available through optional security subsets. The SysMan interface can enable enhanced mode in one of two ways:
Shadow passwords only
Custom (providing the means to completely configure)
The following I&A features are provided on a system running enhanced security:
Password control
Configurable maximum password length up to 80 characters.
Configurable password lifetimes. This includes an optional minimum interval between password changes.
A floating value of the minimum password length, based directly on the Department of Defense Password Management Guideline (the Green Book) guidelines and the password lifetime.
User password-generation flags, which include the ability to require a user to have a generated password.
Recording of who (besides the user) last changed the user's password.
Login control
Optional recording of the last terminal and time of the last successful login and of the last unsuccessful login attempt.
Automatic account lockout after a specified number of consecutive bad access attempts (break-in detection and evasion).
A per-terminal setting for the delay between consecutive login attempts and the maximum amount of time each attempt is allowed before being declared a failed attempt.
A per-terminal setting for maximum consecutive failed login attempts before locking any new accesses from that terminal.
Differentiation between "retired" and "locked" accounts.
Configurable multilevel system default values for the various I&A fields (templates).
A CDE-based graphical interface (dxaccounts)
to perform user-account management and other I&A administration tasks.
The
edauth,
convauth,
and
convuser
utilities to ease the migration of accounts
to the enhanced security level.
The following audit features are provided:
A graphical interface,
audit_setup, to
simplify system auditing
Command line interfaces
The ability to send audit logs to a remote host
Event profiles allowing simplified configuration based on system type
Fine-grained preselection of system events, application events, and site-definable events
Fine-grained post-analysis of system events, application events, and site-definable events
Optional automated audited log cleanup
The
dxaudit
GUI
When used with enhanced security, auditing includes support for a per-user
audit characteristics profile with enhanced identification and authorization.
The audit system is set up through SysMan or by using the
audit_setup
utility from the command line.
Maintenance for the audit system
is done from the command line or with the
dxaudit
GUI.
9.4 Discretionary Access Controls
Discretionary access controls (DACs) provide the capability for users to define how the resources they create can be shared. The traditional UNIX permission bits provide this capability.
Tru64 UNIX also provides optional access control lists (ACLs) for
object protection at the individual user level.
ACLs are supported under the
UFS, NFS, and AdvFS file systems.
To simplify ACL management, an ACL GUI,
named
dxsetacl
is available in addition to the command
line interface.
9.5 Security Administration
Tru64 UNIX provides system administrators with tools to ease the of
use of administration of system security.
9.5.1 Configuring System Security
System administrators can select the security level for their system.
The default base security level consists of object reuse and discretionary
access control (DAC).
System administrators can select enhanced security
features and ACLs by using SysMan or by running thesecsetup
utility from the command line.
The audit system is configurable through SysMan
or by using the
audit_setup
utility from the command line.
9.5.2 Windows-Based Administration Utilities
Tru64 UNIX provides four graphical utilities to deal with day-to-day security administration on the local machine:
The
dxaccounts
utility (Account Manager
under the CDE-based system administration utilities), which operates in both
base and enhanced security modes, provides the ability to create template
accounts and to modify selected system defaults.
Under enhanced security,
you can use
dxaccounts
to specify a set of events to audit
(audit mask) for each user.
The
dxaudit
utility controls the administration
of the audit system (for instance, defining which events to audit) and the
generation of audit reports.
Auditing is available with both base and enhanced
security.
The
dxsetacl
utility (ACL Manager under
the CDE based system administration utilities) is used to create, modify,
and delete ACLs on files and directories.
The
dxdevices
utility configures secure
devices in enhanced security mode.
For more information, see the
dxaccounts(8X),
dxsetacl(8X),
dxaudit(8X),
and
dxdevices(8X)
reference pages.
9.6 Object Reuse
Object reuse ensures that the following types of physical storage (memory or disk space) is cleared ("scrubbed."):
Physical storage that is assigned to shared objects
Physical storage that is released prior to reassignment to another user
Examples of object reuse are disk space that is released after
a file is truncated or physical memory that is released prior to reassignment
to another user to read.
9.7 Protected Environment for Trusted Components
Tru64 UNIX uses hardware memory management to maintain a kernel address space for itself and to maintain separate address spaces for each instance of an executing application process. Processes may try to write to the same address space. DACs control the sharing of this address space among processes; the default is to disallow sharing.
The administrator can disable the sharing of sections as read-only address space; for example, shared libraries. Thus, the security-relevant components of the system (the trusted computing base, or TCB) are protected while they execute.
Tru64 UNIX protects the on-disk security components using discretionary access control. Attempted violations of the DAC protections can be audited so that remedial action can be taken by the system security officer.
In addition, the security components are structured into well defined, largely independent modules.
Tru64 UNIX is designed, developed, and maintained under a configuration management system that controls changes to the specifications, documentation, source code, object code, hardware, firmware, and test suites. Tools, which are also maintained under configuration control, are provided to control and automate the generation of new versions of the security components from source code and to verify that the correct versions of the source have been incorporated into the new version.
The master copies of all material used to generate the security components
are protected from unauthorized modification or destruction.
9.8 Integrity Features
Tru64 UNIX provides the capability to validate the correct operation of hardware, firmware, and software security components. The firmware includes power-on diagnostics and more extensive diagnostics that optionally can be enabled. The firmware itself resides in EEPROM and can be physically write protected. It also can be compared against, or reloaded from, an offline master copy. Additional hardware diagnostics can be used also.
The firmware can require authorization to load any operating software other than the default or to execute privileged console monitor commands that examine or modify memory.
Once the operating system is loaded, administrators can run system diagnostics to validate the correct operation of the hardware and software. In addition, test suites are available to ensure the correct operation of the operating system software.
The following tools can be run automatically to detect inconsistencies in the security software and databases:
fverify
This utility reads subset inventory records from standard input and verifies that the attributes for the files on the system match the attributes listed in the corresponding records. Missing files and inconsistencies in file size, checksum, user ID, group ID, permissions, and file type are reported.
authck
utility
This utility checks both the overall structure and internal field consistency of all components of the authentication database and reports problems that it finds.
The following sections describe additional security features that are
integrated into the Tru64 UNIX software and separately available programs
that provide addtional security features to the operating system.
9.9.1 Features Included with the Operating System
Tru64 UNIX supports features that are unavailable in other OSF-based
UNIX operating systems.
9.9.1.1 The Security Integration Architecture Layer
All security mechanisms that run on the Tru64 UNIX operating system
run under the Security Integration Architecture (SIA) layer.
The SIA allows
a suitably privileged administrator to layer various local and distributed
security authentication mechanisms onto Tru64 UNIX with no modification
to the security-sensitive Tru64 UNIX commands, such as
login,
su, and
passwd.
The SIA isolates the security-sensitive
commands from the specific security mechanisms, thus eliminating the need
to modify them for each new security mechanism.
Because of the presence of the SIA, administrators can use the
secconfig
command to move back and forth between the secure and
nonsecure commands and utilities.
The SIA also supports the following:
DECnet interoperability
The SIA interface provides support for the DECnet/OSI networking software.
Distributed Computing Environment interoperability
When Tru64 UNIX is configured for enhanced security, the SIA allows you to enter both your system password and your Distributed Computing Environment (DCE) password at login time. You do not have to log in to the Tru64 UNIX secure system and then log in again to DCE.
9.9.1.2 Network Information Service Compatibility
Tru64 UNIX
provides support for accessing Network Information Service (NIS) distributed
databases while running enhanced security.
For example, administrators can
use the
ypcat passwd
utility to gather information about
users on the network.
However, the user's encrypted password in the NIS distributed
password database is not the same as the encrypted password on the secure
system, which cannot be viewed by unprivileged users.
In addition, on a Tru64 UNIX system running enhanced security, NIS
can be used to distribute the enhanced security protected password database.
9.9.1.3 Configuration and Setup Script
Tru64 UNIX supports the
secsetup
configuration
and setup script, which allows you to select the security level you want to
run, permits you to move back and forth between secure and nonsecure commands
and utilities, and configures security at boot time, depending on the value
of the
SECURITY
variable in the
/etc/rc.config
file.
9.9.1.4 Graphical User Interfaces
Tru64 UNIX provides the
dxaccounts,
dxaudit, and
dxdevices
graphical interfaces that administrators
can use to create and modify user accounts, modify system defaults, modify
the audit interfaces and devices.
The
dxsetacl
graphical
interface lets users manipulate ACLs on system objects.
9.9.1.5 Division of Privileges
The division of privileges (dop) utility lets a
system administrator with
root
privileges assign access
to certain classes of administrative tasks to other users or groups of users,
thereby minimizing access to the powerful
root
account.
With the assigned privileges, users and groups can execute the selected
privileged programs without knowing the root password.
For example, a user
granted the
AccountManagement
privilege can run the tasks
listed under the Accounts branch of the SysMan Menu.
The
dop
utility is available from the command line,
from the SysMan Menu, and from the CDE Application Manager.
9.9.2 Programs to Augment Tru64 UNIX Security
The following sections describe programs that are available on the Tru64 UNIX
Associated Products CD-ROMS and from Compaq on the Internet.
9.9.2.1 Common Data Security Architecture
The Common Data Security Architecture (CDSA) is a multiplatform, industry-standard security infrastructure that is available for Tru64 UNIX as an advanced developers kit (ADK). It provides a standards-based, stable programming interface that applications can use to access operating system security services, allowing developers to create cross-platform, security-enabled applications.
The CDSA kit is available at the following Compaq Web site:
http://tru64unix.compaq.com/internet/download.htm
9.9.2.2 Single Sign On
Single
Sign On (SSO) is an optional user authentication security feature included
on a Tru64 UNIX Associated Products CD-ROM.
Based on Kerberos technology,
the Tru64 UNIX SSO software increases an organization's level of security
and decreases user account maintenance and administration in a heterogeneous
intranet.
9.9.2.3 Security Products on the Internet Express for Tru64 UNIX CD-ROM
Several security products are included on the Internet Express for Tru64 UNIX
CD-ROM (see
Section 1.3.7.1).
Those products include a secure
socket layer (SSL), the FireScreen firewall product, the RID Denial of Service
Scanner, and
tcpwrapper.
Other security utilities such as
tripwire,
wuftpd,
lsof, and
crack
are
available on the Tru64 UNIX Open Source Software Collection CD-ROM
(see
Section 1.2.10) or from public domain sites on the Internet.