![[Index]](INDEX.GIF)
About This Manual Part 1: User's Guide to Security 1 Introduction for Users 2 Getting Started 3 Connecting to Other Systems 4 DECwindows Environment 5 Using ACLs Part 2: Administrator's Guide to Security 6 Introduction for Administrators 7 Setting Up the Trusted System 8 Creating and Modifying Secure Devices 9 Creating and Maintaining Accounts 10 Administering the Audit Subsystem 11 Administering ACLs 12 Ensuring Authentication Database Integrity 13 Security Integration Architecture 14 Trusted System Troubleshooting Part 3: Programmer's Guide to Security 15 Introduction for Programmers 16 Trusted Programming Techniques 17 Authentication Database 18 Identification and Authentication 19 Audit Record Generation 20 Using the SIA Interface 21 Programming With ACLs B Auditable Events and Aliases C Interoperating with and Migrating from ULTRIX Systems D Coding Examples E Symbol Preemption for SIA Routines
Table of Contents
Audience
New and Changed Features
Organization
Related Documentation
Reader's Comments
Conventions
1.1 Enhanced Security Features
1.1.1 Login Control Enhancements
1.1.2 Password Enhancements
1.1.3 Audit Subsystem
1.2 How to Determine if Enhanced Security Is Installed and Running
1.3 User Accountability
1.4 User Responsibilities
2.1 Logging In
2.1.1 Authentication Profile
2.1.2 Other Login Restrictions
2.2 Setting Your Password
2.2.1 Choosing Your Own Password
2.2.2 Choosing a System-Generated Password
2.2.3 Understanding Password Aging
2.3 Using the su Command
2.4 Password Security Tips
2.5 Login and Logout Security Tips
2.6 Problem Solving
2.6.1 Passwords
2.6.2 Background Jobs
2.6.3 Sticky Directories
2.6.4 SUID/SGID Clearing
2.6.5 If You Cannot Log In
3.1 The TCP/IP Commands
3.1.1 The rlogin, rcp, and rsh Commands
3.1.2 The hosts.equiv File
3.1.3 The \&.rhosts File
3.1.4 The ftp Command
3.1.5 The tftp Command
3.1.6 Remote Connection Security Tips
3.2 LAT Commands
3.3 The UUCP Utility
3.3.1 The uucp Command
3.3.2 The tip and cu Commands
3.3.3 The uux Command
3.4 The dlogin, dls, and dcp Commands
4.1 External Access to Your Display
4.2 Controlling Network Access to Your Workstation
4.2.1 System Access Control List
4.2.2 Workstation Access Control List
4.2.3 Storing the Workstation Access Control List
4.2.4 Using the X Authority File Utility
4.3 Protecting Keyboard Input
4.4 Blocking Keyboard and Mouse Information
4.5 Pausing Your Workstation
4.6 Workstation Physical Security
5.1 Traditional Discretionary Access Control
5.2 An Overview of ACLs
5.3 States of the ACL System
5.4 Setting an ACL
5.5 Default ACLs
5.6 Viewing an ACL
5.7 Access Decision Process
5.8 ACL Structure
5.9 ACL Initialization
5.10 Protecting Objects with ACLs
5.10.1 ACLs and the ls Command
5.10.2 Using the setacl Command
5.10.3 Using the getacl Command
5.11 Maintaining ACLs on Your Objects
5.12 ACLs and the emacs Editor
6.1 Frequently Asked Questions About Trusted Systems
6.2 Defining a Trusted System
6.3 Enhanced Security Features
6.3.1 Audit Features
6.3.2 Identification and Authentication (I and A) Features
6.3.3 Access Control Lists (ACLs)
6.3.4 Integrity Features
6.4 Windows-Based Administration Utilities
6.4.1 Installing and Configuring Enhanced Security
6.5 Administrating the Trusted Operating System
6.5.1 Traditional Administrative Roles
6.5.1.1 Responsibilities of the Information Systems Security Officer
6.5.1.2 Responsibilities of the System Administrator
6.5.1.3 Responsibilities of the Operator
6.5.2 Protected Subsystems
6.5.2.1 Protected Password Database
6.5.2.2 System Defaults Database
6.5.2.3 Terminal Control Database
6.5.2.4 File Control Database
6.5.2.5 Device Assignment Database
7.1 Installation Notes
7.1.1 Full Installation
7.1.2 Update Installation
7.2 Segment Sharing
7.3 Installation Time Setup for Security
7.4 The secsetup Command
7.4.1 Setup Questions
7.4.2 Example secsetup Session
7.5 Configuring Enhanced Security Features
7.5.1 Configuring Audit
7.5.2 Configuring ACLs
7.5.3 Configuring Extended Authentication with NIS
7.5.4 Password and Authentication Features Configuration
7.5.4.1 Aging
7.5.4.2 Minimum Change Time
7.5.4.3 Changing Controls
7.5.4.4 Maximum Login Attempts
7.5.4.5 Time Between Login Attempts
7.5.4.6 Terminal Break-In
7.5.4.7 Time Between Logins
7.5.4.8 Per-Terminal Login Records
7.5.4.9 Automatic Extended Profile Creation
7.5.4.10 Vouching
7.5.4.11 Encryption
7.6 System Administrator Tasks
7.7 ISSO Tasks
7.7.1 Check System Defaults
7.7.2 Modifying a User Account
7.7.3 Assigning Terminal Devices
7.7.4 Setting Up Auditing
7.8 Backing the System Up
8.1 Defining Security Characteristics
8.1.1 Modifying, Adding, and Removing Devices with the dxdevices Program
8.1.2 Setting Default Values with the dxdevices Program
8.2 Updating Security Databases
9.1 Using dxaccounts to Perform System Administration Functions
9.1.1 Creating User Accounts
9.1.2 Retiring Accounts
9.1.3 Creating Groups
9.1.4 Modifying the Account Template
9.1.5 Modifying User Accounts
9.1.6 Modifying the Account Template
9.2 Authentication Subsystem
9.3 Using NIS to Centralize Account Management
9.3.1 Overview of Enhanced Security and NIS User Account Databases
9.3.1.1 BASE Local User Account Database
9.3.1.2 NIS-Distributed BASE User Account Database
9.3.1.3 Enhanced Security Local Password Database
9.3.1.4 NIS and Enhanced Security Database Interaction
9.3.2 Implementation Notes
9.3.3 Setting Up a NIS Master Server
9.3.3.1 Manual Procedure for Small Databases
9.3.3.2 Automated Procedure for Large Databases
9.3.4 Setting Up a NIS Slave Server
9.3.5 Setting Up a NIS Client
9.3.6 Moving Local Accounts to NIS
9.3.7 Backing Out NIS
10.1 Overview of Auditing
10.1.1 Files Used for Auditing
10.1.2 Auditing Tools
10.2 Setting Up the Audit Subsystem
10.2.1 Set Up Questions
10.2.2 Using the audit_setup Script
10.3 Selecting Audit Events
10.3.1 Event Aliases
10.3.2 Object Selection and Deselection
10.3.3 Targeting an Active Processes
10.4 Audit Log Files
10.4.1 The auditlog File
10.4.1.1 Audit Log Overflow
10.4.1.2 Remote Audit Logs
10.4.2 Console Messages
10.4.3 Creating Your Own Log Entries
10.5 Configuring the Audit Subsystem Using auditd
10.5.1 Displaying Information About the Audit Subsystem
10.5.2 Designating the Location of the Audit Log File
10.5.3 Designating a Fallback Location for Audit Data
10.5.4 Designating a Destination for Audit Log Status Reports
10.5.5 Protecting Against Audit Log Overflow
10.6 Starting Audit
10.6.1 Turning Off Audit
10.6.2 Starting a New Audit Log
10.7 Auditing Across a Network
10.8 Processing Audit Log Data
10.8.1 Using audit_tool Interactively
10.8.2 Selecting Audit Records
10.8.3 Generating a Report for Each Audit ID
10.8.4 Selecting Audit Records Within a Time Range
10.8.5 Selecting Audit Records for Specific Events
10.8.6 Performing Continuous Audit Reporting
10.8.7 Selecting Audit Records for Process IDs
10.8.8 Filtering Out Specific Audit Records
10.8.9 Processing ULTRIX Audit Data
10.9 Site-Defined Audit Events
10.9.1 System Administrator's Responsibilities
10.9.2 Trusted Application Responsibility
10.9.3 Managing Your Own Audit Data
10.9.4 Changing the Site Event Mask
10.10 Suggested Audit Events
10.10.1 Dependencies Among Audit Events
10.10.2 Auditable Events
10.11 Audit Reports
10.11.1 Generating Audit Reports with the dxaudit Program
10.11.1.1 Selection Files
10.11.1.2 Deselection Files
10.11.1.3 Reports
10.11.2 Generating Audit Reports with the audit_tool Program
10.11.2.1 Audit Reports for System Calls
10.11.2.2 Audit Reports for Trusted Events
10.11.2.3 Audit Reports for Process IDs
10.11.2.4 Abbreviated Audit Reports
10.12 Audit Data Recovery
10.13 Implementation Notes
10.14 Traditional UNIX Logging Tools
10.15 Using Audit to Trace System Calls
10.15.1 Installing Audit
10.15.2 Enabling Audit
10.15.3 Tracing a Process
10.15.4 Reading the Trace Data
10.15.5 Modifying the Kernel to Get More Data for a System Call
10.15.6 System Calls Not Always Audited
11.1 Digital UNIX ACLs Overview
11.2 Administration Tasks
11.3 Installing ACLs
11.3.1 Enabling ACLs
11.3.2 Disabling ACLs
11.3.3 Verifying Kernel Changes
11.3.4 Determining If ACLs Are Enabled
11.4 Recovery
11.5 Standalone System Support
12.1 Composition of the Authentication Database
12.2 Running the authck Program
12.3 Adding Applications to the File Control Database
13.1 SIA Overview
13.2 Supported Security Configurations
13.3 matrix.conf Files
13.4 Installing a Layered Security Product
13.5 Installing Multiple Layered Security Products
13.6 Removing Layered Security Products
14.1 Lock Files
14.2 Invalid Maps
14.3 Required Files and File Contents
14.3.1 The /tcb/files/auth/r/root File
14.3.2 The /etc/auth/system/ttys.db File
14.3.3 The /etc/auth/system/default File
14.3.4 The /etc/auth/system/devassign File
14.3.5 The /etc/passwd File
14.3.6 The /etc/group File
14.3.7 The /etc/auth/system/pw_id_map File
14.3.8 The /etc/auth/system/gr_id_map File
14.3.9 The /sbin/rc[023] Files
14.3.10 The /dev/console File
14.3.11 The /dev/pts/* and /dev/tty* Files
14.3.12 The /sbin/sulogin File
14.3.13 The /sbin/sh File
14.3.14 The /vmunix File
14.4 Problems Logging In or Changing Passwords
15.1 Libraries and Header Files
15.2 Standard Trusted System Directories
15.3 System Calls and Library Routines with Enhanced Security
15.3.1 System Calls
15.3.2 Library Routines
15.4 Defining the Trusted Computing Base
15.5 Protecting TCB Files
16.1 Writing SUID and SGID Programs
16.2 Handling Errors
16.3 Protecting Permanent and Temporary Files
16.4 Specifying a Secure Search Path
16.5 Responding to Signals
16.6 Using Open File Descriptors with Child Processes
16.7 Security Concerns in a DECwindows Environment
16.7.1 Protect Keyboard Input
16.7.2 Block Keyboard and Mouse Events
16.7.3 Protect Device-Related Events
16.8 Protecting Shell Scripts
17.1 Accessing the Databases
17.2 Database Components
17.2.1 Database Form
17.2.2 Reading and Writing a Database
17.2.2.1 Buffer Management
17.2.2.2 Reading an Entry by Name or ID
17.2.2.3 Reading Entries Sequentially
17.2.2.4 Using System Defaults
17.2.2.5 Writing an Entry
17.3 Device Assignment Database
17.4 File Control Database
17.5 System Default Database
17.6 Protected Password Database
17.7 Terminal Control Database
18.1 New libsecurity Library Routines
18.1.1 Changed Application Programming Interfaces
18.1.2 What to Do With Existing Programs
18.1.3 What to Do For New Programs
18.2 The Audit ID
18.3 Identity Support Libraries
18.4 Using Daemons
18.5 Using the Protected Password Database
18.6 Example: Password Expiration Program
18.7 Password Handling
19.1 Categories of Auditable Events
19.2 Generation of Audit Records
19.3 Disabling Auditing
19.4 Modifying Process Audit Attributes
19.5 Audit Records and Tokens
19.5.1 Public Tokens
19.5.2 Private Tokens
19.6 Application-Specific Audit Records
20.1 Overview
20.2 SIA Layering
20.3 System Initialization
20.4 Libraries
20.5 Header Files
20.6 SIAENTITY Structure
20.7 Parameter Collection
20.8 Maintaining State
20.9 Return Values
20.10 Audit Logs
20.11 Integrating Security Mechanisms
20.12 Session Processing
20.12.1 Session Initialization
20.12.2 Session Authentication
20.12.3 Session Establishment
20.12.4 Session Launch
20.12.5 Session Release
20.12.6 Specific Session Processing
20.12.6.1 The login Process
20.12.6.2 The rshd Process
20.12.6.3 The rlogind Process
20.13 Changing Secure Information
20.13.1 Changing a User's Password
20.13.2 Changing a User's Finger Information
20.13.3 Changing a User's Shell
20.14 Accessing Security Information
20.14.1 Accessing /etc/passwd Information
20.14.2 Accessing /etc/group Information
20.15 Session Parameter Collection
20.16 Packaging Products for the SIA
20.17 Security Mechanism-Dependent Interface
20.18 Single User Mode
21.1 Introduction to ACLs
21.2 Library Routines
21.3 Discretionary Access Terms
21.4 ACL Data Representations
21.4.1 Working Storage Representation
21.4.2 Data Package Representation
21.4.3 External Representation
21.5 Default ACLs
21.6 ACL Rules
21.6.1 Object Creation
21.6.2 ACL Replication
21.6.3 ACL Validity
21.7 ACL Creation Example
21.8 Imported and Exported Data
21.8.1 Digital UNIX System to Same Digital UNIX System
21.8.2 Digital UNIX System to Another Digital UNIX System
21.8.3 Digital UNIX System to Other
21.8.4 Other to Digital UNIX System
B.1 Default Auditable Events File
B.2 Sample Event Aliases File
C.1 Migration Issues
C.1.1 Difference in the audgen System Call
C.1.2 Differences in the audcntl Routine
C.1.3 Changes to the authaudit Routines
C.1.4 Difference in the Authentication Interfaces
C.1.5 Differences in Password Encryption
C.1.6 Trusted Path Unavailable on Digital UNIX
C.1.7 Secure Attention Key (SAK) Unavailable on Digital UNIX
C.2 Moving ULTRIX Authentication Files to Digital UNIX
C.2.1 Converting Shared Authentication Files
C.2.2 Converting Local Authentication Files
C.2.3 After Converting the Authentication Files
C.3 Audit Data Compatibility
D.1 Source Code for sia-reauth.c
D.2 Source Code for sia-suauth.c
E.1 Overview of the Symbol Preemption Problem
E.2 The Digital UNIX Solution
E.3 Replacing the Single-User Environment
Examples
7-1 Using secsetup
10-1 Using the audit_setup Script
10-2 Sample Active Auditing Session
10-3 Sample /etc/sec/auditd_loc File
10-4 Layered Product Audit Record
10-5 Audit Report for System Calls
10-6 Audit Report for Trusted Events
10-7 Audit Report for Process IDs
10-8 Abbreviated Audit Report
10-9 Abbreviated Audit Report with User Names
11-1 Enabling ACLs
11-2 Disabling ACLs
13-1 Default /etc/sia/bsd_matrix.conf File
13-2 Default /etc/sia/OSFC2_matrix.conf File
13-3 Default /etc/sia/dce_matrix.conf File
13-4 Deleting a Layered Security Product
18-1 Password Expiration Program
19-1 Public Tokens
19-2 Private Tokens
20-1 The SIAENTITY Structure
20-2 Typical /var/adm/sialog File
20-3 Session Processing Code
D-1 Reauthentication Program
D-2 Superuser Authentication Program
E-1 Preempting Symbols in Single-User Mode