7    Security

This chapter looks at the security features provided by Tru64 UNIX. The first section provides a brief security overview (Section 7.1), after which the following topics are discussed:

• Identification , authentication, and authorization (Section 7.2)

• Discretionary access controls (Section 7.3)

• The Audit subsystem (Section 7.4)

• Object reuse (Section 7.5)

• The protected environment for trusted components (Section 7.6)

• Integrity features (Section 7.7)

7.1    Overview

Identification, authentication, and authorization are the building blocks to system security. System security is built by creating a security policy that specifies your systems's level of trust with other systems within a local and a remote network and between users and applications (entities) wanting to access resources on your system.

To fully trust an entity seeking to access resources on your system, your system must identify the entity and the entity must authenticate itself to the system. Once the entity is identified and authenticated, the system will enforce the rules that determine which resources the entity is authorized to access.

Tru64 UNIX supports a range of security mechanisms that provide identification, authentication, and authorization services. It also provides an audit subsystem so you can audit and monitor the activity on your system.

You can use the command line to administer all security identification, authentication, and authorization components or you can use the SysMan interface to administer most of the components.

For detailed information about Tru64 UNIX security, see the following manuals:

• Security Administration

• Security Programming

• Command and Shell User's Guide, which contains information for general users

7.2    Identification, Authentication, and Authorization

Tru64 UNIX supports the use of the following security mechanisms to implement a security policy that will create a security domain with varying levels of trust for local system access, local network access, and remote network access:

• Local system access

  • Base (BSD) Security

  • Enhanced Security

• Local network access

  • Secure Shell

  • Common Desktop Security Architecture (CDSA)

  • IPsec

  • Secure Socket Layer (SSL)

  • Single Sign-on (SSO)/Kerberos

  • Lightweight Directory Access Protocol (LDAP)

  • Network Information Services (NIS)

• Remote network access

  • Secure Shell

  • CDSA

  • IPsec

  • SSL

  • Single Sign-on (SSO)/Kerberos

You can configure Tru64 UNIX to implement multiple security mechanisms — with each mechanism defining its own rules for identification and authentication and the level of trust the mechanism requires before authenticating the entity. The Security Integration Architecture (SIA) manages the order in which security mechanisms are used.

See the Security Administration manual for information about security mechanisms an SIA.

7.3    Discretionary Access Controls

Discretionary access controls (DACs) provide the capability for users to define how the resources they create can be shared. The traditional UNIX permission bits provide this capability.

Tru64 UNIX also provides optional access control lists (ACLs) for object protection at the individual user level. ACLs are supported under the UFS, NFS, and AdvFS file systems. To simplify ACL management, an ACL GUI, named dxsetacl is available in addition to the command line interface.

7.4    Audit Subsystem

The audit subsystem records system events, such as file opens, file creations, logins, and print jobs submitted. Each event is stamped with an immutable audit ID (AUID) of the user who created it, which allows all actions to be traced directly to a user. Users have no direct interaction with the audit subsystem.

The following audit features are provided:

• A graphical interface, audit_setup, to simplify system auditing

• Command-line interfaces

• The ability to send audit logs to a remote host

• Event profiles allowing simplified configuration based on system type

• Fine-grained preselection of system events, application events, and site-definable events

• Fine-grained postanalysis of system events, application events, and site-definable events

• Optional automated audited log cleanup

• The dxaudit GUI

When used with enhanced security, auditing includes support for a per-user audit characteristics profile with enhanced identification and authorization. The audit system is set up through SysMan or by using the audit_setup utility from the command line. Maintenance for the audit system is done from the command line or with the dxaudit GUI.

7.5    Object Reuse

Object reuse ensures that the following types of physical storage (memory or disk space) is cleared ("scrubbed."):

• Physical storage that is assigned to shared objects

• Physical storage that is released prior to reassignment to another user

Examples of object reuse are disk space that is released after a file is truncated or physical memory that is released prior to reassignment to another user to read.

7.6    Protected Environment for Trusted Components

Tru64 UNIX uses hardware memory management to maintain a kernel address space for itself and to maintain separate address spaces for each instance of an executing application process. Processes may try to write to the same address space. DACs control the sharing of this address space among processes; the default is to disallow sharing.

The administrator can disable the sharing of sections as read-only address space; for example, shared libraries. Thus, the security-relevant components of the system (the trusted computing base, or TCB) are protected while they execute.

Tru64 UNIX protects the on-disk security components using discretionary access control. Attempted violations of the DAC protections can be audited so that remedial action can be taken by the system security officer.

In addition, the security components are structured into well defined, largely independent modules.

Tru64 UNIX is designed, developed, and maintained under a configuration management system that controls changes to the specifications, documentation, source code, object code, hardware, firmware, and test suites. Tools, which are also maintained under configuration control, are provided to control and automate the generation of new versions of the security components from source code and to verify that the correct versions of the source have been incorporated into the new version.

The master copies of all material used to generate the security components are protected from unauthorized modification or destruction.

7.7    Integrity Features

Tru64 UNIX provides the capability to validate the correct operation of hardware, firmware, and software security components. The firmware includes power-on diagnostics and more extensive diagnostics that optionally can be enabled. The firmware itself resides in EEPROM and can be physically write protected. It also can be compared against, or reloaded from, an offline master copy. Additional hardware diagnostics can be used also.

The firmware can require authorization to load any operating software other than the default or to execute privileged console monitor commands that examine or modify memory.

Once the operating system is loaded, administrators can run system diagnostics to validate the correct operation of the hardware and software. In addition, test suites are available to ensure the correct operation of the operating system software.

The following tools can be run automatically to detect inconsistencies in the security software and databases:

• fverify

  This utility reads subset inventory records from standard input and verifies that the attributes for the files on the system match the attributes listed in the corresponding records. Missing files and inconsistencies in file size, checksum, user ID, group ID, permissions, and file type are reported.

• authck utility

  This utility checks both the overall structure and internal field consistency of all components of the authentication database and reports problems that it finds.