| Title and Copyright Information |
| About This Manual |
| Audience |
| New and Changed Features |
| Organization |
| Related Documentation |
| Reader's Comments |
| Conventions |
| 1 | User's Guide to Security |
| 1 | Introduction for Users |
| 1.1 | Security Features |
| 1.1.1 | Login Control Enhancements |
| 1.1.2 | Password Enhancements |
| 1.1.3 | Audit Subsystem |
| 1.1.4 | ACLs |
| 1.2 | User Accountability |
| 1.3 | User Responsibilities |
| 2 | Getting Started |
| 2.1 | Logging In |
| 2.1.1 | Authentication Profile |
| 2.1.2 | Other Login Restrictions |
| 2.2 | Setting Your Password |
| 2.2.1 | Choosing Your Own Password |
| 2.2.2 | Choosing a System-Generated Password |
| 2.2.3 | Understanding Password Aging |
| 2.3 | Using the su Command |
| 2.4 | Password Security Tips |
| 2.5 | Login and Logout Security Tips |
| 2.6 | Problem Solving |
| 2.6.1 | Passwords |
| 2.6.2 | Background Jobs |
| 2.6.3 | Sticky Directories |
| 2.6.4 | SUID/SGID Clearing |
| 2.6.5 | Access Control Lists |
| 2.6.6 | If You Cannot Log In |
| 3 | Connecting to Other Systems |
| 3.1 | The TCP/IP Commands |
| 3.1.1 | The rlogin, rcp, and rsh Commands |
| 3.1.2 | The hosts.equiv File |
| 3.1.3 | The .rhosts File |
| 3.1.4 | The ftp Command |
| 3.1.5 | The tftp Command |
| 3.1.6 | Remote Connection Security Tips |
| 3.2 | LAT Commands |
| 3.3 | The UUCP Utility |
| 3.3.1 | The uucp Command |
| 3.3.2 | The tip and cu Commands |
| 3.3.3 | The uux Command |
| 3.4 | The dlogin, dls, and dcp Commands |
| 4 | DECwindows Environment |
| 4.1 | External Access to Your Display |
| 4.2 | Controlling Network Access to Your Workstation |
| 4.2.1 | System Access Control List |
| 4.2.2 | Workstation Access Control List |
| 4.2.3 | Storing the Workstation Access Control List |
| 4.2.4 | Using the X Authority File Utility |
| 4.3 | Protecting Keyboard Input |
| 4.4 | Blocking Keyboard and Mouse Information |
| 4.5 | Pausing Your Workstation |
| 4.6 | Workstation Physical Security |
| 5 | Using ACLs |
| 5.1 | Traditional Discretionary Access Control |
| 5.2 | An Overview of ACLs |
| 5.3 | States of the ACL System |
| 5.4 | Setting an ACL |
| 5.5 | Default ACLs |
| 5.6 | Viewing an ACL |
| 5.7 | Access Decision Process |
| 5.8 | ACL Structure |
| 5.9 | ACL Initialization |
| 5.10 | Protecting Objects with ACLs |
| 5.10.1 | ACLs and the ls Command |
| 5.10.2 | Using the setacl Command |
| 5.10.3 | Using the getacl Command |
| 5.11 | Maintaining ACLs on Your Objects |
| 5.12 | ACLs and the emacs Editor |
| 2 | Administrator's Guide to Security |
| 6 | Introduction for Administrators |
| 6.1 | Frequently Asked Questions About Trusted Systems |
| 6.2 | Defining a Trusted System |
| 6.3 | Enhanced Security Features |
| 6.3.1 | Audit Features |
| 6.3.2 | Identification and Authentication (I and A) Features |
| 6.3.3 | Access Control Lists (ACLs) |
| 6.3.4 | Integrity Features |
| 6.4 | Windows-Based Administration Utilities |
| 6.4.1 | Installing and Configuring Enhanced Security |
| 6.5 | Administrating the Trusted Operating System |
| 6.5.1 | Traditional Administrative Roles |
| 6.5.1.1 | Responsibilities of the Information Systems Security Officer |
| 6.5.1.2 | Responsibilities of the System Administrator |
| 6.5.1.3 | Responsibilities of the Operator |
| 6.5.2 | Protected Subsystems |
| 6.5.2.1 | Protected Password Database |
| 6.5.2.2 | System Defaults Database |
| 6.5.2.3 | Terminal Control Database |
| 6.5.2.4 | File Control Database |
| 6.5.2.5 | Device Assignment Database |
| 6.6 | Enhanced Security in a Cluster Environment |
| 7 | Setting Up the Trusted System |
| 7.1 | Installation Notes |
| 7.1.1 | Full Installation |
| 7.1.2 | Update Installation |
| 7.2 | Segment Sharing |
| 7.3 | Installation Time Setup for Security |
| 7.4 | The secsetup Command |
| 7.4.1 | Setup Questions |
| 7.4.2 | Example secsetup Session |
| 7.5 | Configuring Enhanced Security Features |
| 7.5.1 | Configuring Audit |
| 7.5.2 | Configuring ACLs |
| 7.5.3 | Configuring Extended Authentication with NIS |
| 7.5.4 | Password and Authentication Features Configuration |
| 7.5.4.1 | Aging |
| 7.5.4.2 | Minimum Change Time |
| 7.5.4.3 | Changing Controls |
| 7.5.4.4 | Maximum Login Attempts |
| 7.5.4.5 | Time Between Login Attempts |
| 7.5.4.6 | Terminal Break-In |
| 7.5.4.7 | Time Between Logins |
| 7.5.4.8 | Per-Terminal Login Records |
| 7.5.4.9 | Automatic Extended Profile Creation |
| 7.5.4.10 | Vouching |
| 7.5.4.11 | Encryption |
| 7.6 | System Administrator Tasks |
| 7.7 | ISSO Tasks |
| 7.7.1 | Check System Defaults |
| 7.7.2 | Modifying a User Account |
| 7.7.3 | Assigning Terminal Devices |
| 7.7.4 | Setting Up Auditing |
| 7.8 | Backing the System Up |
| 8 | Creating and Modifying Secure Devices |
| 8.1 | Defining Security Characteristics |
| 8.1.1 | Modifying, Adding, and Removing Devices with the dxdevices Program |
| 8.1.2 | Setting Default Values with the dxdevices Program |
| 8.2 | Updating Security Databases |
| 9 | Creating and Maintaining Accounts |
| 9.1 | Using dxaccounts to Perform System Administration Functions |
| 9.1.1 | Creating User Accounts |
| 9.1.2 | Retiring Accounts |
| 9.1.3 | Creating Groups |
| 9.1.4 | Modifying the Account Template |
| 9.1.5 | Modifying User Accounts |
| 9.1.6 | Modifying the Account Template |
| 9.2 | Authentication Subsystem |
| 9.3 | Using NIS to Centralize Account Management |
| 9.3.1 | Overview of Enhanced Security and NIS User Account Databases |
| 9.3.1.1 | BASE Local User Account Database |
| 9.3.1.2 | NIS-Distributed BASE User Account Database |
| 9.3.1.3 | Enhanced Security Local Password Database |
| 9.3.1.4 | NIS and Enhanced Security Database Interaction |
| 9.3.2 | Implementation Notes |
| 9.3.3 | Setting Up a NIS Master Server |
| 9.3.3.1 | Manual Procedure for Small Databases |
| 9.3.3.2 | Automated Procedure for Large Databases |
| 9.3.4 | Setting Up a NIS Slave Server |
| 9.3.5 | Setting Up a NIS Client |
| 9.3.6 | Moving Local Accounts to NIS |
| 9.3.7 | Backing Out NIS |
| 10 | Administering the Audit Subsystem |
| 10.1 | Overview of Auditing |
| 10.1.1 | Audit Files |
| 10.1.2 | Audit Tools |
| 10.1.2.1 | Command-line Interface |
| 10.1.2.2 | Graphic Interface |
| 10.2 | Quick Start |
| 10.2.1 | What to Do Next |
| 10.3 | Audit Commands |
| 10.3.1 | Configuring the Audit Subsystem: the |
| 10.3.2 | Selecting Events to Audit: the |
| 10.3.3 | Producing Audit Reports: the |
| 10.4 | What to Audit |
| 10.4.1 | Trusted Events |
| 10.4.2 | Site-defined Audit Events |
| 10.4.3 | Dependencies Among Audit Events |
| 10.4.4 | Suggestions of Events to Audit |
| 10.5 | Preselection: Managing the Volume of Audit Data |
| 10.5.1 | Audit Masks and Control Flags |
| 10.5.2 | Event Aliases |
| 10.5.3 | Object Selection and Deselection |
| 10.6 | Auditing Across a Network |
| 10.7 | Contents of Audit Records |
| 10.7.1 | Additional Entries in Audit Records |
| 10.7.2 | Example Audit Record |
| 10.7.3 | Abbreviated Audit Records |
| 10.8 | More About Generating Audit Reports |
| 10.8.1 | Filtering Out Specific Audit Records |
| 10.8.2 | Targeting Active Processes |
| 10.9 | Audit Data Recovery |
| 10.10 | Implementation Notes |
| 10.11 | Responding to Audit Reports |
| 10.12 | Using Audit to Trace System Calls |
| 10.12.1 | Tracing a Process |
| 10.12.2 | Reading the Trace Data |
| 10.12.3 | Modifying the Kernel to Get More Data for a System Call |
| 10.13 | Traditional UNIX Logging Tools |
| 11 | Administering ACLs |
| 11.1 | Tru64 UNIX ACLs Overview |
| 11.2 | Administration Tasks |
| 11.3 | Installing ACLs |
| 11.3.1 | Enabling ACLs |
| 11.3.2 | Disabling ACLs |
| 11.3.3 | Verifying Kernel Changes |
| 11.3.4 | Determining If ACLs Are Enabled |
| 11.4 | Recovery |
| 11.5 | Standalone System Support |
| 12 | Ensuring Authentication Database Integrity |
| 12.1 | Composition of the Authentication Database |
| 12.2 | Running the authck Program |
| 12.3 | Adding Applications to the File Control Database |
| 12.4 | Recovery of /etc/passwd Information |
| 13 | Security Integration Architecture |
| 13.1 | SIA Overview |
| 13.2 | Supported Security Configurations |
| 13.3 | matrix.conf Files |
| 13.4 | Installing a Layered Security Product |
| 13.5 | Installing Multiple Layered Security Products |
| 13.6 | Removing Layered Security Products |
| 14 | Trusted System Troubleshooting |
| 14.1 | Lock Files |
| 14.2 | Required Files and File Contents |
| 14.2.1 | The /tcb/files/auth/r/root File or /tcb/files/auth.db |
| 14.2.2 | The /etc/auth/system/ttys.db File |
| 14.2.3 | The /etc/auth/system/default File |
| 14.2.4 | The /etc/auth/system/devassign File |
| 14.2.5 | The /etc/passwd File |
| 14.2.6 | The /etc/group File |
| 14.2.7 | The /sbin/rc[023] Files |
| 14.2.8 | The /dev/console File |
| 14.2.9 | The /dev/pts/* and /dev/tty* Files |
| 14.2.10 | The /sbin/sulogin File |
| 14.2.11 | The /sbin/sh File |
| 14.2.12 | The /vmunix File |
| 14.3 | Problems Logging In or Changing Passwords |
| 3 | Programmer's Guide to Security |
| 15 | Introduction for Programmers |
| 15.1 | Libraries and Header Files |
| 15.2 | Standard Trusted System Directories |
| 15.3 | Security Relevent System Calls and Library Routines |
| 15.3.1 | System Calls |
| 15.3.2 | Library Routines |
| 15.4 | Defining the Trusted Computing Base |
| 15.5 | Protecting TCB Files |
| 15.5.1 | Secure Applications |
| 16 | Trusted Programming Techniques |
| 16.1 | Writing SUID and SGID Programs |
| 16.2 | Handling Errors |
| 16.3 | Protecting Permanent and Temporary Files |
| 16.4 | Specifying a Secure Search Path |
| 16.5 | Responding to Signals |
| 16.6 | Using Open File Descriptors with Child Processes |
| 16.7 | Security Concerns in a DECwindows Environment |
| 16.7.1 | Protect Keyboard Input |
| 16.7.2 | Block Keyboard and Mouse Events |
| 16.7.3 | Protect Device-Related Events |
| 16.8 | Protecting Shell Scripts |
| 17 | Authentication Database |
| 17.1 | Accessing the Databases |
| 17.2 | Database Components |
| 17.2.1 | Database Form |
| 17.2.2 | Reading and Writing a Database |
| 17.2.2.1 | Buffer Management |
| 17.2.2.2 | Reading an Entry by Name or ID |
| 17.2.2.3 | Reading Entries Sequentially |
| 17.2.2.4 | Using System Defaults |
| 17.2.2.5 | Writing an Entry |
| 17.3 | Device Assignment Database (devassign) |
| 17.4 | File Control Database (file) |
| 17.5 | System Default Database (default) |
| 17.6 | Protected Password Database (prpasswd or auth) |
| 17.7 | Terminal Control Database (ttys) |
| 18 | Identification and Authentication |
| 18.1 | The Audit ID |
| 18.2 | Identity Support Libraries |
| 18.3 | Using Daemons |
| 18.4 | Using the Protected Password Database |
| 18.5 | Example: Password Expiration Program |
| 18.6 | Password Handling |
| 19 | Audit Record Generation |
| 19.1 | Categories of Auditable Events |
| 19.2 | Generation of Audit Records |
| 19.3 | Disabling Auditing |
| 19.4 | Modifying Process Audit Attributes |
| 19.5 | Audit Records and Tokens |
| 19.5.1 | Public Tokens |
| 19.5.2 | Private Tokens |
| 19.6 | Application-Specific Audit Records |
| 20 | Using the SIA Interface |
| 20.1 | Overview |
| 20.2 | SIA Layering |
| 20.3 | System Initialization |
| 20.4 | Libraries |
| 20.5 | Header Files |
| 20.6 | SIAENTITY Structure |
| 20.7 | Parameter Collection |
| 20.8 | Maintaining State |
| 20.9 | Return Values |
| 20.10 | Audit Logs |
| 20.11 | Integrating Security Mechanisms |
| 20.12 | Session Processing |
| 20.12.1 | Session Initialization |
| 20.12.2 | Session Authentication |
| 20.12.3 | Session Establishment |
| 20.12.4 | Session Launch |
| 20.12.5 | Session Release |
| 20.12.6 | Specific Session Processing |
| 20.12.6.1 | The login Process |
| 20.12.6.2 | The rshd Process |
| 20.12.6.3 | The rlogind Process |
| 20.13 | Changing Secure Information |
| 20.13.1 | Changing a User's Password |
| 20.13.2 | Changing a User's Finger Information |
| 20.13.3 | Changing a User's Shell |
| 20.14 | Accessing Security Information |
| 20.14.1 | Accessing /etc/passwd Information |
| 20.14.2 | Accessing /etc/group Information |
| 20.15 | Session Parameter Collection |
| 20.16 | Packaging Products for the SIA |
| 20.17 | Security Mechanism-Dependent Interface |
| 20.18 | Single User Mode |
| 21 | Discretionary Access Control |
| 21.1 | Introduction to ACLs |
| 21.2 | DAC Access Definitions |
| 21.3 | DAC Privileges |
| 21.4 | ACL Data Representations |
| 21.4.1 | Working Storage Representation |
| 21.4.2 | Data Package Representation |
| 21.4.3 | External Representation |
| 21.5 | Default ACL |
| 21.6 | ACL Rules |
| 21.6.1 | Object Creation |
| 21.6.2 | ACL Replication |
| 21.6.3 | Mask Entries |
| 21.6.4 | ACL Validity |
| 21.7 | Example - ACL Creation |
| 21.8 | Example - Mask Recomputation |
| 21.9 | Example - ACL Inheritance |
| A | File Summary |
| B | Auditable Events and Aliases |
| B.1 | Default Auditable Events File |
| B.2 | Sample Event Aliases File |
| C | Interoperating with and Migrating from ULTRIX Systems |
| C.1 | Migration Issues |
| C.1.1 | Difference in the audgen System Call |
| C.1.2 | Differences in the audcntl Routine |
| C.1.3 | Changes to the authaudit Routines |
| C.1.4 | Difference in the Authentication Interfaces |
| C.1.5 | Differences in Password Encryption |
| C.1.6 | Trusted Path Unavailable on Tru64 UNIX |
| C.1.7 | Secure Attention Key (SAK) Unavailable on Tru64 UNIX |
| C.2 | Moving ULTRIX Authentication Files to Tru64 UNIX |
| C.2.1 | Converting Shared Authentication Files |
| C.2.2 | Converting Local Authentication Files |
| C.2.3 | After Converting the Authentication Files |
| C.3 | Audit Data Compatibility |
| D | Coding Examples |
| D.1 | Source Code for sia-reauth.c |
| D.2 | Source Code for sia-suauth.c |
| E | Symbol Preemption for SIA Routines |
| E.1 | Overview of the Symbol Preemption Problem |
| E.2 | The Tru64 UNIX Solution |
| E.3 | Replacing the Single-User Environment |
| F | C2 Level Security Configuration |
| F.1 | Evaluation Status |
| F.2 | Establishing a Security Policy |
| F.3 | Minimum C2 Configuration |
| F.4 | Initial Configuration |
| F.4.1 | General Configuration |
| F.4.2 | Extended Passwords and Authentication Using secsetup |
| F.4.3 | Libraries |
| F.4.4 | Account Prototypes and Templates |
| F.4.5 | Configuring the Audit Subsystem |
| F.4.6 | Configuring ACLs |
| F.4.7 | Verifying That Your Installation Is Secure |
| F.4.8 | Configuring Network Security |
| F.4.9 | Post Installation Security Configuration |
| F.4.9.1 | umask for Remote Access |
| F.4.9.2 | Devices |
| F.4.9.3 | Accounts |
| F.4.9.4 | Root Access |
| F.4.10 | Network Configuration |
| F.5 | Physical Security |
| F.6 | Applications |
| F.7 | Periodic Security Administration Procedures |
| F.8 | Verification Tools |
| Glossary |
| Examples |
| 7-1 | Using secsetup |
| 10-1 | Sample Active Auditing Session |
| 11-1 | Enabling ACLs |
| 11-2 | Disabling ACLs |
| 13-1 | Default /etc/sia/bsd_matrix.conf File |
| 13-2 | Default /etc/sia/dce_matrix.conf File |
| 13-3 | Deleting a Layered Security Product |
| 18-1 | Password Expiration Program |
| 19-1 | Public Tokens |
| 19-2 | Private Tokens |
| 20-1 | The SIAENTITY Structure |
| 20-2 | Typical /var/adm/sialog File |
| 20-3 | Session Processing Code |
| D-1 | Reauthentication Program |
| D-2 | Superuser Authentication Program |
| E-1 | Preempting Symbols in Single-User Mode |
| Figures |
| 9-1 | NIS Maps for Enhanced Security |
| 13-1 | Security Integration Architecture |
| 20-1 | SIA Layering |
| 20-2 | SIA Session Processing |
| Tables |
| 5-1 | Example ACL Entries |
| 6-1 | Potential System Threats |
| 6-2 | Traditional Administrative Roles |
| 6-3 | Protected Subsystems |
| 9-1 | NIS passwd File Overrides |
| 10-1 | Files Used for Auditing |
| 10-2 | auditd Examples |
| 10-3 | State-dependent Information |
| 10-4 | System Calls Not Always Audited |
| 10-5 | Traditional UNIX Log Files in /var/adm |
| 15-1 | Standard Trusted System Directories |
| 15-2 | Security-Relevant System Calls |
| 15-3 | Security-Relevant Library Routines |
| 20-1 | Security Sensitive Operating System Commands |
| 20-2 | SIA Mechanism-Independent Routines |
| 20-3 | SIA Mechanism-Dependent Routines |
| 21-1 | ACL Entry External Representation |
| A-1 | Trusted Computing Base |
| A-2 | Files Not in Trusted Computing Base |
| Index |