The ISSO is traditionally responsible for assigning the devices that are included in the system's trusted computing base (TCB) and for defining the security characteristics of those devices. On a Digital UNIX system root access is required to assign devices. The trusted Digital UNIX system currently supports terminals as part of the TCB. This chapter describes how to define those devices to a secure system.
The ISSO
traditionally defines the security characteristics of all the
terminals that are part of the system using the
dxdevices
program.
To do this, the ISSO performs the following tasks:
The ISSO is usually responsible for ensuring that all device assignments, whether they are set explicitly or by default, conform to a site's security requirements.
Before you create or modify a secure device,
all of the typical device installation procedures required
during ordinary system hardware and software installation must be
completed. The special files for devices must exist in the
/dev
directory and have the appropriate permissions.
The special files for terminals must be owned by
root,
have the group set to
tty,
and have the mode set to
0620.
You can verify that the installation has been completed with the
ls
command. The following example is typical:
#
ls -lg /dev/tty*
crw---------- 1 root tty 0, 2 Aug 15 09:29 /dev/tty00
crw---------- 1 root tty 0, 3 Aug 15 09:29 /dev/tty01
Using the Devices dialog box, select the Modify/Create dialog
box then the Select devices dialog box.
To add or remove a device, first
select or enter the device, then click on File to make the required
changes.
To modify a device, first
select the device, then click on Modify to make the required
changes. See the online help for
dxdevices
for more information.
Using the Devices dialog box, select the Defaults dialog box.
Set the system defaults for all of your terminals as required.
A terminal uses these defaults unless specifically
overridden by settings in the Modify Terminal dialog box.
See the online help for
dxdevices
for more information.
When you assign device defaults or device-specific parameters, the system updates the following security databases:
/etc/auth/system/default,
contains the default values (for example,
default control
parameters) for all system devices.
/etc/auth/system/devassign,
contains device-specific values for
system devices.
/etc/auth/system/ttys.db,
contains device-specific values
for authentication (for example, the number of failed login
attempts).
Each device to be used in your secure configuration must
have an entry in the device assignment database.
This database centralizes information about the security characteristics
of all system devices.
It includes the device pathname and type.
By default a wildcard
entry exists for terminals (but not X displays) in the
/etc/auth/system/ttys.db
and
/etc/auth/system/devassign
databases.
The X display
entries shipped on the system have
:t_login_timeout#0:
entries in them,
in case a site changes its system default login timeout.
If wildcard X display entries are needed, they can be created as
follows:
#
echo \
\'*\:*:t_devname=*\:*:t_login_timeout#0:t_xdisplay:chkent:\' \
| /tcb/bin/edauth -s -dt
#
echo \'*\:*:v_type=xdisplay:chkent:\' | /tcb/bin/edauth -s -dv
.dms