The Tru64 UNIX operating system is delivered with an enhanced security optional subset and other optional security fetures. When the enhanced security subset subset is installed and configured, the system is referred to as a trusted system. The Tru64 UNIX enhanced security features result in a trusted system designed to meet the C2 class of trust, as defined by the Trusted Computer System Evaluation Criteria (TCSEC, also called the Orange Book). The system also meets the F-C2 functional class as defined in the Information Technology Security Evaluation Criteria (ITSEC).
Although many of the requirements for maintaining the security of the trusted Tru64 UNIX system are the responsibility of your site's administrative staff, you have a responsibility, as a user of the system, to help enforce the security provided by the system. This chapter explains system capabilities and user responsibilities.
The Tru64 UNIX system without the enhanced security subset installed provides traditional UNIX security, as described in the Tru64 UNIX manuals. Traditional UNIX security at the user level consists of basic login identification, authentication (password checking) and file permissions (discretionary access controls (DAC)). The following sections describe how enhanced security extends traditional security.
To determine which of the security features are running on your system, see your system administrator
Enhanced security features for login control may include the following:
Recording of the last terminal used for a successful login
Recording of the time of the last successful login
Recording of the time of the last unsuccessful login attempt
Recording of the number of consecutive unsuccessful login attempts
Recording of the terminal used for the last unsuccessful login attempt
Automatic account lockout after a specified number of consecutive bad access attempts
A per-terminal setting for the delay between consecutive login attempts, and the maximum amount of time each attempt is allowed before being declared a failed attempt
A per-terminal setting for the maximum consecutive failed login attempts before locking any new accesses from that terminal
Enhanced security provides the following features for password control:
Configurable maximum password length, up to 80 characters
Configurable password lifetimes
Variable minimum password length
System-generated passwords that take the form of a pronounceable password made up of meaningless syllables, an unpronounceable password made up of random characters from the character set, or an unpronounceable password made up of random letters from the alphabet (all letters are from ASCII)
Per-user password generation flags, which include the ability to require a user to have a system-generated password
Record of who (besides the user) last changed the user's password
Password usage history
One of the most useful features of a trusted Tru64 UNIX system is that the administrator can use the audit subsystem to hold users accountable for their actions. The audit subsytem records every relevant security event that happens on the system (for example, each file open, file creation, login, and print job submitted).
Each action is also stamped with an immutable audit ID (AUID) of the user who logged on, which allows all actions to be traced directly to a user. Users, by request to the system administrator, can use the audit trail to help recreate past events that affect the security of their accounts and data.
Users have no direct interaction with with the Audit subsystem. The audit feature is discussed in detail in Chapter 10.
Users on Tru64 UNIX system can provide access granularity ion objects down to a single user by using the optional Access Control List (ACL). An ACL can be associated with any file or directory on systems with file systems that support property lists. An ACL allows users to specify exactly how they want their files protected. See Chapter 5for information on using ACLs.
A trusted system holds all users accountable for the actions that they
perform on the system.
When you log in, the system associates an audit ID
(AUID) with your processes;
the AUID remains stamped on processes regardless of the program
being run.
Even if you change your real or effective user ID (for example,
by using
su
to become root or another user), the system
still knows which authenticated user caused a specific action based on the
identity recorded in the indelible AUID.
Once stamped, the AUID cannot be
changed.
The system maintains an extensive authentication profile describing the characteristics and capabilities of each user - for example, the particular authorizations that user possesses and the particular login restrictions on the user.
It is extremely difficult for an unauthorized user to break into a trusted system because of the extra security features added to the login procedure. In addition, in a trusted system you can more easily detect a penetration or attempted penetration into your account. Note, however, that these additional assurances are useless if you do not protect your password.
As a user of a trusted system, you must help protect the information that is stored and processed on the system. Specifically, you must do the following:
Guard your password to protect against unaccountable access to your account.
Apply strict discretionary access controls, including the use of access control lists, to protect your data from disclosure or destruction.
Use the privilege mechanism to restrict the actions of programs you run.
Report all suspect activity to the system administrator, so that past events can be analyzed through the audit trail.
A trusted Tru64 UNIX system provides tools and mechanisms that help the system maintain the level of trust for which the system was designed. These are described in subsequent chapters.