| About This Manual |
| Audience |
| New and Changed Features |
| Organization |
| Related Documentation |
| Reader's Comments |
| Conventions |
| Part 1: User's Guide to Security |
| 1 | Introduction for Users |
| 1.1 | Enhanced Security Features |
| 1.1.1 | Login Control Enhancements |
| 1.1.2 | Password Enhancements |
| 1.1.3 | Audit Subsystem |
| 1.2 | How to Determine if Enhanced Security Is Installed and Running |
| 1.3 | User Accountability |
| 1.4 | User Responsibilities |
| 2 | Getting Started |
| 2.1 | Logging In |
| 2.1.1 | Authentication Profile |
| 2.1.2 | Other Login Restrictions |
| 2.2 | Setting Your Password |
| 2.2.1 | Choosing Your Own Password |
| 2.2.2 | Choosing a System-Generated Password |
| 2.2.3 | Understanding Password Aging |
| 2.3 | Using the su Command |
| 2.4 | Password Security Tips |
| 2.5 | Login and Logout Security Tips |
| 2.6 | Problem Solving |
| 2.6.1 | Passwords |
| 2.6.2 | Background Jobs |
| 2.6.3 | Sticky Directories |
| 2.6.4 | SUID/SGID Clearing |
| 2.6.5 | If You Cannot Log In |
| 3 | Connecting to Other Systems |
| 3.1 | The TCP/IP Commands |
| 3.1.1 | The rlogin, rcp, and rsh Commands |
| 3.1.2 | The hosts.equiv File |
| 3.1.3 | The \&.rhosts File |
| 3.1.4 | The ftp Command |
| 3.1.5 | The tftp Command |
| 3.1.6 | Remote Connection Security Tips |
| 3.2 | LAT Commands |
| 3.3 | The UUCP Utility |
| 3.3.1 | The uucp Command |
| 3.3.2 | The tip and cu Commands |
| 3.3.3 | The uux Command |
| 3.4 | The dlogin, dls, and dcp Commands |
| 4 | DECwindows Environment |
| 4.1 | External Access to Your Display |
| 4.2 | Controlling Network Access to Your Workstation |
| 4.2.1 | System Access Control List |
| 4.2.2 | Workstation Access Control List |
| 4.2.3 | Storing the Workstation Access Control List |
| 4.2.4 | Using the X Authority File Utility |
| 4.3 | Protecting Keyboard Input |
| 4.4 | Blocking Keyboard and Mouse Information |
| 4.5 | Pausing Your Workstation |
| 4.6 | Workstation Physical Security |
| 5 | Using ACLs |
| 5.1 | Traditional Discretionary Access Control |
| 5.2 | An Overview of ACLs |
| 5.3 | States of the ACL System |
| 5.4 | Setting an ACL |
| 5.5 | Default ACLs |
| 5.6 | Viewing an ACL |
| 5.7 | Access Decision Process |
| 5.8 | ACL Structure |
| 5.9 | ACL Initialization |
| 5.10 | Protecting Objects with ACLs |
| 5.10.1 | ACLs and the ls Command |
| 5.10.2 | Using the setacl Command |
| 5.10.3 | Using the getacl Command |
| 5.11 | Maintaining ACLs on Your Objects |
| 5.12 | ACLs and the emacs Editor |
| Part 2: Administrator's Guide to Security |
| 6 | Introduction for Administrators |
| 6.1 | Frequently Asked Questions About Trusted Systems |
| 6.2 | Defining a Trusted System |
| 6.3 | Enhanced Security Features |
| 6.3.1 | Audit Features |
| 6.3.2 | Identification and Authentication (I and A) Features |
| 6.3.3 | Access Control Lists (ACLs) |
| 6.3.4 | Integrity Features |
| 6.4 | Windows-Based Administration Utilities |
| 6.4.1 | Installing and Configuring Enhanced Security |
| 6.5 | Administrating the Trusted Operating System |
| 6.5.1 | Traditional Administrative Roles |
| 6.5.1.1 | Responsibilities of the Information Systems Security Officer |
| 6.5.1.2 | Responsibilities of the System Administrator |
| 6.5.1.3 | Responsibilities of the Operator |
| 6.5.2 | Protected Subsystems |
| 6.5.2.1 | Protected Password Database |
| 6.5.2.2 | System Defaults Database |
| 6.5.2.3 | Terminal Control Database |
| 6.5.2.4 | File Control Database |
| 6.5.2.5 | Device Assignment Database |
| 7 | Setting Up the Trusted System |
| 7.1 | Installation Notes |
| 7.1.1 | Full Installation |
| 7.1.2 | Update Installation |
| 7.2 | Segment Sharing |
| 7.3 | Installation Time Setup for Security |
| 7.4 | The secsetup Command |
| 7.4.1 | Setup Questions |
| 7.4.2 | Example secsetup Session |
| 7.5 | Configuring Enhanced Security Features |
| 7.5.1 | Configuring Audit |
| 7.5.2 | Configuring ACLs |
| 7.5.3 | Configuring Extended Authentication with NIS |
| 7.5.4 | Password and Authentication Features Configuration |
| 7.5.4.1 | Aging |
| 7.5.4.2 | Minimum Change Time |
| 7.5.4.3 | Changing Controls |
| 7.5.4.4 | Maximum Login Attempts |
| 7.5.4.5 | Time Between Login Attempts |
| 7.5.4.6 | Terminal Break-In |
| 7.5.4.7 | Time Between Logins |
| 7.5.4.8 | Per-Terminal Login Records |
| 7.5.4.9 | Automatic Extended Profile Creation |
| 7.5.4.10 | Vouching |
| 7.5.4.11 | Encryption |
| 7.6 | System Administrator Tasks |
| 7.7 | ISSO Tasks |
| 7.7.1 | Check System Defaults |
| 7.7.2 | Modifying a User Account |
| 7.7.3 | Assigning Terminal Devices |
| 7.7.4 | Setting Up Auditing |
| 7.8 | Backing the System Up |
| 8 | Creating and Modifying Secure Devices |
| 8.1 | Defining Security Characteristics |
| 8.1.1 | Modifying, Adding, and Removing Devices with the dxdevices Program |
| 8.1.2 | Setting Default Values with the dxdevices Program |
| 8.2 | Updating Security Databases |
| 9 | Creating and Maintaining Accounts |
| 9.1 | Using dxaccounts to Perform System Administration Functions |
| 9.1.1 | Creating User Accounts |
| 9.1.2 | Retiring Accounts |
| 9.1.3 | Creating Groups |
| 9.1.4 | Modifying the Account Template |
| 9.1.5 | Modifying User Accounts |
| 9.1.6 | Modifying the Account Template |
| 9.2 | Authentication Subsystem |
| 9.3 | Using NIS to Centralize Account Management |
| 9.3.1 | Overview of Enhanced Security and NIS User Account Databases |
| 9.3.1.1 | BASE Local User Account Database |
| 9.3.1.2 | NIS-Distributed BASE User Account Database |
| 9.3.1.3 | Enhanced Security Local Password Database |
| 9.3.1.4 | NIS and Enhanced Security Database Interaction |
| 9.3.2 | Implementation Notes |
| 9.3.3 | Setting Up a NIS Master Server |
| 9.3.3.1 | Manual Procedure for Small Databases |
| 9.3.3.2 | Automated Procedure for Large Databases |
| 9.3.4 | Setting Up a NIS Slave Server |
| 9.3.5 | Setting Up a NIS Client |
| 9.3.6 | Moving Local Accounts to NIS |
| 9.3.7 | Backing Out NIS |
| 10 | Administering the Audit Subsystem |
| 10.1 | Overview of Auditing |
| 10.1.1 | Files Used for Auditing |
| 10.1.2 | Auditing Tools |
| 10.2 | Setting Up the Audit Subsystem |
| 10.2.1 | Set Up Questions |
| 10.2.2 | Using the audit_setup Script |
| 10.3 | Selecting Audit Events |
| 10.3.1 | Event Aliases |
| 10.3.2 | Object Selection and Deselection |
| 10.3.3 | Targeting an Active Processes |
| 10.4 | Audit Log Files |
| 10.4.1 | The auditlog File |
| 10.4.1.1 | Audit Log Overflow |
| 10.4.1.2 | Remote Audit Logs |
| 10.4.2 | Console Messages |
| 10.4.3 | Creating Your Own Log Entries |
| 10.5 | Configuring the Audit Subsystem Using auditd |
| 10.5.1 | Displaying Information About the Audit Subsystem |
| 10.5.2 | Designating the Location of the Audit Log File |
| 10.5.3 | Designating a Fallback Location for Audit Data |
| 10.5.4 | Designating a Destination for Audit Log Status Reports |
| 10.5.5 | Protecting Against Audit Log Overflow |
| 10.6 | Starting Audit |
| 10.6.1 | Turning Off Audit |
| 10.6.2 | Starting a New Audit Log |
| 10.7 | Auditing Across a Network |
| 10.8 | Processing Audit Log Data |
| 10.8.1 | Using audit_tool Interactively |
| 10.8.2 | Selecting Audit Records |
| 10.8.3 | Generating a Report for Each Audit ID |
| 10.8.4 | Selecting Audit Records Within a Time Range |
| 10.8.5 | Selecting Audit Records for Specific Events |
| 10.8.6 | Performing Continuous Audit Reporting |
| 10.8.7 | Selecting Audit Records for Process IDs |
| 10.8.8 | Filtering Out Specific Audit Records |
| 10.8.9 | Processing ULTRIX Audit Data |
| 10.9 | Site-Defined Audit Events |
| 10.9.1 | System Administrator's Responsibilities |
| 10.9.2 | Trusted Application Responsibility |
| 10.9.3 | Managing Your Own Audit Data |
| 10.9.4 | Changing the Site Event Mask |
| 10.10 | Suggested Audit Events |
| 10.10.1 | Dependencies Among Audit Events |
| 10.10.2 | Auditable Events |
| 10.11 | Audit Reports |
| 10.11.1 | Generating Audit Reports with the dxaudit Program |
| 10.11.1.1 | Selection Files |
| 10.11.1.2 | Deselection Files |
| 10.11.1.3 | Reports |
| 10.11.2 | Generating Audit Reports with the audit_tool Program |
| 10.11.2.1 | Audit Reports for System Calls |
| 10.11.2.2 | Audit Reports for Trusted Events |
| 10.11.2.3 | Audit Reports for Process IDs |
| 10.11.2.4 | Abbreviated Audit Reports |
| 10.12 | Audit Data Recovery |
| 10.13 | Implementation Notes |
| 10.14 | Traditional UNIX Logging Tools |
| 10.15 | Using Audit to Trace System Calls |
| 10.15.1 | Installing Audit |
| 10.15.2 | Enabling Audit |
| 10.15.3 | Tracing a Process |
| 10.15.4 | Reading the Trace Data |
| 10.15.5 | Modifying the Kernel to Get More Data for a System Call |
| 10.15.6 | System Calls Not Always Audited |
| 11 | Administering ACLs |
| 11.1 | Digital UNIX ACLs Overview |
| 11.2 | Administration Tasks |
| 11.3 | Installing ACLs |
| 11.3.1 | Enabling ACLs |
| 11.3.2 | Disabling ACLs |
| 11.3.3 | Verifying Kernel Changes |
| 11.3.4 | Determining If ACLs Are Enabled |
| 11.4 | Recovery |
| 11.5 | Standalone System Support |
| 12 | Ensuring Authentication Database Integrity |
| 12.1 | Composition of the Authentication Database |
| 12.2 | Running the authck Program |
| 12.3 | Adding Applications to the File Control Database |
| 13 | Security Integration Architecture |
| 13.1 | SIA Overview |
| 13.2 | Supported Security Configurations |
| 13.3 | matrix.conf Files |
| 13.4 | Installing a Layered Security Product |
| 13.5 | Installing Multiple Layered Security Products |
| 13.6 | Removing Layered Security Products |
| 14 | Trusted System Troubleshooting |
| 14.1 | Lock Files |
| 14.2 | Invalid Maps |
| 14.3 | Required Files and File Contents |
| 14.3.1 | The /tcb/files/auth/r/root File |
| 14.3.2 | The /etc/auth/system/ttys.db File |
| 14.3.3 | The /etc/auth/system/default File |
| 14.3.4 | The /etc/auth/system/devassign File |
| 14.3.5 | The /etc/passwd File |
| 14.3.6 | The /etc/group File |
| 14.3.7 | The /etc/auth/system/pw_id_map File |
| 14.3.8 | The /etc/auth/system/gr_id_map File |
| 14.3.9 | The /sbin/rc[023] Files |
| 14.3.10 | The /dev/console File |
| 14.3.11 | The /dev/pts/* and /dev/tty* Files |
| 14.3.12 | The /sbin/sulogin File |
| 14.3.13 | The /sbin/sh File |
| 14.3.14 | The /vmunix File |
| 14.4 | Problems Logging In or Changing Passwords |
| Part 3: Programmer's Guide to Security |
| 15 | Introduction for Programmers |
| 15.1 | Libraries and Header Files |
| 15.2 | Standard Trusted System Directories |
| 15.3 | System Calls and Library Routines with Enhanced Security |
| 15.3.1 | System Calls |
| 15.3.2 | Library Routines |
| 15.4 | Defining the Trusted Computing Base |
| 15.5 | Protecting TCB Files |
| 16 | Trusted Programming Techniques |
| 16.1 | Writing SUID and SGID Programs |
| 16.2 | Handling Errors |
| 16.3 | Protecting Permanent and Temporary Files |
| 16.4 | Specifying a Secure Search Path |
| 16.5 | Responding to Signals |
| 16.6 | Using Open File Descriptors with Child Processes |
| 16.7 | Security Concerns in a DECwindows Environment |
| 16.7.1 | Protect Keyboard Input |
| 16.7.2 | Block Keyboard and Mouse Events |
| 16.7.3 | Protect Device-Related Events |
| 16.8 | Protecting Shell Scripts |
| 17 | Authentication Database |
| 17.1 | Accessing the Databases |
| 17.2 | Database Components |
| 17.2.1 | Database Form |
| 17.2.2 | Reading and Writing a Database |
| 17.2.2.1 | Buffer Management |
| 17.2.2.2 | Reading an Entry by Name or ID |
| 17.2.2.3 | Reading Entries Sequentially |
| 17.2.2.4 | Using System Defaults |
| 17.2.2.5 | Writing an Entry |
| 17.3 | Device Assignment Database |
| 17.4 | File Control Database |
| 17.5 | System Default Database |
| 17.6 | Protected Password Database |
| 17.7 | Terminal Control Database |
| 18 | Identification and Authentication |
| 18.1 | New libsecurity Library Routines |
| 18.1.1 | Changed Application Programming Interfaces |
| 18.1.2 | What to Do With Existing Programs |
| 18.1.3 | What to Do For New Programs |
| 18.2 | The Audit ID |
| 18.3 | Identity Support Libraries |
| 18.4 | Using Daemons |
| 18.5 | Using the Protected Password Database |
| 18.6 | Example: Password Expiration Program |
| 18.7 | Password Handling |
| 19 | Audit Record Generation |
| 19.1 | Categories of Auditable Events |
| 19.2 | Generation of Audit Records |
| 19.3 | Disabling Auditing |
| 19.4 | Modifying Process Audit Attributes |
| 19.5 | Audit Records and Tokens |
| 19.5.1 | Public Tokens |
| 19.5.2 | Private Tokens |
| 19.6 | Application-Specific Audit Records |
| 20 | Using the SIA Interface |
| 20.1 | Overview |
| 20.2 | SIA Layering |
| 20.3 | System Initialization |
| 20.4 | Libraries |
| 20.5 | Header Files |
| 20.6 | SIAENTITY Structure |
| 20.7 | Parameter Collection |
| 20.8 | Maintaining State |
| 20.9 | Return Values |
| 20.10 | Audit Logs |
| 20.11 | Integrating Security Mechanisms |
| 20.12 | Session Processing |
| 20.12.1 | Session Initialization |
| 20.12.2 | Session Authentication |
| 20.12.3 | Session Establishment |
| 20.12.4 | Session Launch |
| 20.12.5 | Session Release |
| 20.12.6 | Specific Session Processing |
| 20.12.6.1 | The login Process |
| 20.12.6.2 | The rshd Process |
| 20.12.6.3 | The rlogind Process |
| 20.13 | Changing Secure Information |
| 20.13.1 | Changing a User's Password |
| 20.13.2 | Changing a User's Finger Information |
| 20.13.3 | Changing a User's Shell |
| 20.14 | Accessing Security Information |
| 20.14.1 | Accessing /etc/passwd Information |
| 20.14.2 | Accessing /etc/group Information |
| 20.15 | Session Parameter Collection |
| 20.16 | Packaging Products for the SIA |
| 20.17 | Security Mechanism-Dependent Interface |
| 20.18 | Single User Mode |
| 21 | Programming With ACLs |
| 21.1 | Introduction to ACLs |
| 21.2 | Library Routines |
| 21.3 | Discretionary Access Terms |
| 21.4 | ACL Data Representations |
| 21.4.1 | Working Storage Representation |
| 21.4.2 | Data Package Representation |
| 21.4.3 | External Representation |
| 21.5 | Default ACLs |
| 21.6 | ACL Rules |
| 21.6.1 | Object Creation |
| 21.6.2 | ACL Replication |
| 21.6.3 | ACL Validity |
| 21.7 | ACL Creation Example |
| 21.8 | Imported and Exported Data |
| 21.8.1 | Digital UNIX System to Same Digital UNIX System |
| 21.8.2 | Digital UNIX System to Another Digital UNIX System |
| 21.8.3 | Digital UNIX System to Other |
| 21.8.4 | Other to Digital UNIX System |
| A | File Summary |
| B | Auditable Events and Aliases |
| B.1 | Default Auditable Events File |
| B.2 | Sample Event Aliases File |
| C | Interoperating with and Migrating from ULTRIX Systems |
| C.1 | Migration Issues |
| C.1.1 | Difference in the audgen System Call |
| C.1.2 | Differences in the audcntl Routine |
| C.1.3 | Changes to the authaudit Routines |
| C.1.4 | Difference in the Authentication Interfaces |
| C.1.5 | Differences in Password Encryption |
| C.1.6 | Trusted Path Unavailable on Digital UNIX |
| C.1.7 | Secure Attention Key (SAK) Unavailable on Digital UNIX |
| C.2 | Moving ULTRIX Authentication Files to Digital UNIX |
| C.2.1 | Converting Shared Authentication Files |
| C.2.2 | Converting Local Authentication Files |
| C.2.3 | After Converting the Authentication Files |
| C.3 | Audit Data Compatibility |
| D | Coding Examples |
| D.1 | Source Code for sia-reauth.c |
| D.2 | Source Code for sia-suauth.c |
| E | Symbol Preemption for SIA Routines |
| E.1 | Overview of the Symbol Preemption Problem |
| E.2 | The Digital UNIX Solution |
| E.3 | Replacing the Single-User Environment |
| Glossary |
| Examples |
| 7-1 | Using secsetup |
| 10-1 | Using the audit_setup Script |
| 10-2 | Sample Active Auditing Session |
| 10-3 | Sample /etc/sec/auditd_loc File |
| 10-4 | Layered Product Audit Record |
| 10-5 | Audit Report for System Calls |
| 10-6 | Audit Report for Trusted Events |
| 10-7 | Audit Report for Process IDs |
| 10-8 | Abbreviated Audit Report |
| 10-9 | Abbreviated Audit Report with User Names |
| 11-1 | Enabling ACLs |
| 11-2 | Disabling ACLs |
| 13-1 | Default /etc/sia/bsd_matrix.conf File |
| 13-2 | Default /etc/sia/OSFC2_matrix.conf File |
| 13-3 | Default /etc/sia/dce_matrix.conf File |
| 13-4 | Deleting a Layered Security Product |
| 18-1 | Password Expiration Program |
| 19-1 | Public Tokens |
| 19-2 | Private Tokens |
| 20-1 | The SIAENTITY Structure |
| 20-2 | Typical /var/adm/sialog File |
| 20-3 | Session Processing Code |
| D-1 | Reauthentication Program |
| D-2 | Superuser Authentication Program |
| E-1 | Preempting Symbols in Single-User Mode |
| Figures |
| 9-1 | NIS and Enhanced Security |
| 13-1 | Security Integration Architecture |
| 20-1 | SIA Layering |
| 20-2 | SIA Session Processing |
| Tables |
| 5-1 | Example ACL Entries |
| 6-1 | Potential System Threats |
| 6-2 | Traditional Administrative Roles |
| 6-3 | Protected Subsystems |
| 9-1 | NIS passwd File Overrides |
| 10-1 | Files Used for Auditing |
| 10-2 | Traditional UNIX Log Files in /var/adm |
| 10-3 | System Calls Not Always Audited |
| 15-1 | Standard Trusted System Directories |
| 15-2 | Security-Relevant System Calls |
| 15-3 | Security-Relevant Library Routines |
| 18-1 | Changed Programming Interfaces |
| 18-2 | Changed Data Structures |
| 20-1 | Security Sensitive Operating System Commands |
| 20-2 | SIA Mechanism-Independent Routines |
| 20-3 | SIA Mechanism-Dependent Routines |
| 21-1 | ACL Library Routines |
| 21-2 | Discretionary Access Terms |
| 21-3 | ACL Entry External Representation |
| A-1 | Trusted Computing Base |
| A-2 | Files Not in Trusted Computing Base |
| Index |