Digital UNIX Version 4.0, running enhanced security, is designed to meet or exceed the requirements of the C2 evaluation class of DoD 5200.28-STD Trusted Computer System Evaluation Criteria (TCSEC), also known as the Orange Book. The enhanced security features ship as optional subsets. After the security subsets are installed, you can configure an enhanced security kernel and access secure commands and utilities.
The following C2 requirements specified in the Orange Book are supported by Digital UNIX Version 4.0 running enhanced security:
The following audit features are provided in Digital UNIX Version 4.0:
dxaudit
GUI (graphical user interface)
The audit system is set up from the command line.
Maintenance for the audit subsystem is done from the command line
or with the
dxaudit
GUI.
Digital UNIX Version 4.0 intends to support the POSIX 1003.6 standard for audit when it is approved. The Digital implementation will also provide backward compatibility with the current audit interfaces. For more information, see the guide Security.
Digital's Security Interface Architecture (SIA) allows a
single set of identification and
authentication (I&A) utilities to work in either
the nontrusted system or the trusted (enhanced security)
system.
By using the
secsetup
command, you can configure your system to use either nontrusted or
enhanced security commands.
The following I&A features are provided in Digital UNIX Version 4.0 running enhanced security:
dxaccounts)
to perform many of the I&A administration tasks.
edauth,
convauth,
and
convuser
utilities to make the migration of accounts to the enhanced security
level easier.
For more information, see the guide Security.
Object reuse is a standard feature of Digital UNIX Version 4.0. Object reuse ensures that the physical storage (memory or disk space) assigned to shared objects or physical storage that is released prior to reassignment to another user, is cleared or scrubbed. Examples of object reuse are disk space that is released after a file is truncated or physical memory that is released prior to reassignment to another user to read.
Discretionary access controls (DACs) are a standard feature of Digital UNIX Version 4.0. Discretionary access control provides the capability for users to define how the resources they create can be shared. The traditional UNIX permission bits provide this capability.
The Digital UNIX Version 4.0 system also provides optional access control lists (ACLs) to provide object protection at the individual user level.
Setting permissions, including ACLs, is discussed in the Security manual.
Digital UNIX Version 4.0 maintains a separate execution domain for the trusted computing base (TCB) components using hardware memory management to protect the TCB while it is executing. It maintains a kernel address space for the operating system, and maintains separate address spaces for each instance of an executing trusted (or untrusted) application process. Writable address space sharing between processes is controlled by discretionary access controls (DAC), with the default being to disallow sharing. Sharing of read-only address space sections (for example, shared libraries) can be disabled.
Digital UNIX Version 4.0 also protects the on-disk TCB components using discretionary access control. Attempted violations of the DAC protections can be audited so that remedial action can be taken by the system security officer.
In addition, the TCB is structured into well defined, largely independent modules.
Digital UNIX Version 4.0 is designed, developed, and maintained under a configuration management system that controls changes to the specifications, documentation, source code, object code, hardware, firmware, and test suites. Tools, which are also maintained under configuration control, are provided to control and automate the generation of new versions of the TCB from source code and to verify that the correct versions of the source have been incorporated into the new TCB version. The master copies of all material used to generate the TCB are protected from unauthorized modification or destruction.
Digital UNIX Version 4.0 provides the capability to validate the correct operation of hardware, firmware, and software components of the TCB. The firmware includes power-on diagnostics and more extensive diagnostics that can optionally be enabled. The firmware itself resides in EEPROM and can be physically write-protected. It can also be compared against, or reloaded from, an off-line master copy. Digital's service engineers can run additional hardware diagnostics as well.
The firmware can require authorization to load any operating software other than the default or to execute privileged console monitor commands that examine or modify memory.
Once the operating system is loaded, system diagnostics can be run to validate the correct operation of the hardware and software. In addition, test suites are available to ensure the correct operation of the operating system software.
The following two tools can be run automatically to detect inconsistencies in the TCB software and databases:
fverify
The
fverify
command reads subset inventory records
from standard input and verifies that the attributes for
the files on the system match the attributes
listed in the corresponding records.
Missing files and inconsistencies in file size, checksum,
user ID, group ID, permissions, and file type are reported.
authck
The
authck
program checks both the overall structure and internal
field consistency of all components of the authentication database
and
reports all problems that it finds.
The Digital UNIX Version 4.0 operating system provides system administrators with tools to improve the ease of use of administering system security.
System administrators can select the security
level associated with their system.
The default security level consists
of object reuse and DAC; by running the
secsetup
command,
system administrators can select enhanced security features.
The audit subsystem and ACL subsystem are configurable at kernel
link time, regardless of the security level of the system.
Three GUIs are provided to deal with the
day-to-day security administration on the local machine.
Based on OSF/Motif, the enhanced security version
dxaccounts
(Account Manager under the CDE-based system administration utilities)
utility is used to create and enhanced user
accounts, modify of system defaults, and the audit mask for
users.
The
dxaudit
GUI controls the administration of the audit system and the
generation of audit reports. Administrators have the flexibility
to configure the audit subsystem without the requirement of
installing additional enhanced security features.
The
dxdevices
GUI is used to configure secure devices.
The old
XSysAdmin
and
XIsso
interfaces are provided for compatibility and will be
retired in a future release.
For more information, see the
dxaccounts(8X),
dxaudit(8X),
and
dxdevices(8X)
reference pages.
Digital UNIX Version 4.0 supports the some features not available in other OSF-based UNIX operating systems.
All security mechanisms that run on the
Digital UNIX Version 4.0 operating system
run under the Security Integration Architecture (SIA) layer.
The SIA allows you to
layer various local and distributed security authentication
mechanisms onto Digital UNIX Version 4.0 with no modification to the
security-sensitive
Digital UNIX Version 4.0 commands, such as
login,
su,
and
passwd.
The SIA isolates the security-sensitive commands
from the specific security mechanisms, thus
eliminating the need to modify them for each new security
mechanism.
See the Security manual for further details.
Through the use of a middle-layer interface, the Security
Integration Architecture (SIA),
Digital UNIX Version 4.0
allows use of the
secsetup
command to toggle back and forth between the secure and the
nonsecure commands and utilities.
Digital provides support for accessing NIS distributed databases while running enhanced security.
Users on a
Digital UNIX Version 4.0
enhanced security system
can,
for example,
use the
ypcat passwd
command to gather information about users on the network;
however,
the user's encrypted password in the NIS distributed password database
is not the same as the encrypted
password on the secure system
which cannot be viewed by unprivileged users.
In addition, on a Digital UNIX Version 4.0 system running enhanced security, NIS can be used to distribute the enhanced security protected password database as well.
The SIA interface provides support for Digital's networking software, DECnet.
Through the SIA, Digital UNIX Version 4.0, when configured for enhanced security, allows you to enter both your system password and your DCE password at login time. You do not have to log in to the Digital UNIX Version 4.0 secure system and then log in again to DCE.
Digital UNIX Version 4.0
supports the
secsetup
configuration and setup script which
allows you to select the security
level you wish to run,
permits you to toggle back and forth between secure and
nonsecure commands and utilities,
and
configures security at boot time depending upon the
value of the
SECURITY
variable in the
/etc/rc.config
file.
Digital UNIX Version 4.0
provides
the
dxaccounts,
dxaudit,
and
dxdevices
utilities that
permit the creation and modification of user accounts,
modification of system defaults,
and all of the audit interfaces and
devices.
With all security options configured and running (including auditing), Digital UNIX Version 4.0 shows a performance degradation of only 3%. With auditing turned off, there is no measurable performance degradation. With enhanced security configured but not turned on, there is no performance degradation whatsoever.
Under normal usage, ACLs do not significantly degrade performance.
For more information on security, see the Security manual.