| Title and Copyright Information |
| About This Manual |
| Audience |
| New and Changed Features |
| Organization |
| Related Documentation |
| Reader's Comments |
| Conventions |
| 1 | Identification, Authentication, and Authorization |
| 1.1 | Authentication Overview |
| 1.2 | Authentication Implementations |
| 1.2.1 | Password Authentication |
| 1.2.2 | Host-Based Authentication |
| 1.2.3 | Public Key Authentication |
| 1.2.3.1 | Digital Signatures and Certificates |
| 1.2.4 | Secret Key Authentication |
| 1.2.5 | Encryption Methods |
| 1.3 | Local Authentication Methods |
| 1.3.1 | Base (BSD) Mechanism |
| 1.3.2 | Enhanced Security Mechanism |
| 1.3.2.1 | Login Control Enhancements |
| 1.3.2.2 | Password Enhancements |
| 1.4 | Remote Authentication Methods |
| 1.4.1 | NIS Protocol |
| 1.4.2 | LDAP Mechanism |
| 1.4.3 | Secure Shell Application |
| 1.4.4 | SSO/Kerberos Mechanism |
| 1.4.5 | Advanced Server for UNIX (ASU) |
| 1.4.6 | IPsec Protocol |
| 1.4.7 | SSL, CDSA, and GSS APIs |
| 1.5 | Security Integration Architecture Overview |
| 1.5.1 | SIA and User Change Routines |
| 1.5.2 | Configuring SIA |
| 1.5.2.1 | SIA Mechanism Initialization |
| 1.5.2.2 | Adding an SIA Mechanism |
| 1.5.2.3 | Removing an SIA Mechanism |
| 1.5.3 | SIA Logging |
| 2 | Securing System Resources |
| 2.1 | Access Control Overview |
| 2.2 | Tru64 UNIX Permissions |
| 2.2.1 | Displaying Tru64 UNIX File and Directory Permissions |
| 2.2.2 | Setting File and Directory Permissions (chmod) |
| 2.2.2.1 | Specifying Permissions with Letters and Operation Symbols |
| 2.2.2.1.1 | Changing File Permissions |
| 2.2.2.1.2 | Changing Directory Permissions |
| 2.2.2.1.3 | Using Pattern-Matching Characters |
| 2.2.2.1.4 | Setting Absolute Permissions |
| 2.2.2.2 | Specifying Permissions with Octal Numbers |
| 2.2.3 | Setting Default Permissions |
| 2.2.3.1 | Setting the User Mask |
| 2.3 | Access Control Lists (ACLs) |
| 2.3.1 | Enabling and Disabling ACLs |
| 2.3.1.1 | Enabling ACLs on NFS |
| 2.3.2 | ACL Structure |
| 2.3.3 | Access Checking with ACLs |
| 2.3.4 | ACL Inheritance |
| 2.3.4.1 | ACL Inheritance Examples |
| 2.3.5 | Managing ACLs |
| 2.3.5.1 | Using the dxsetacl Interface |
| 2.3.5.2 | Using the getacl Command |
| 2.3.5.3 | Using the setacl Command |
| 2.3.6 | ACL Interaction with Commands and Applications |
| 2.3.6.1 | The pax and tar Commands |
| 2.3.6.2 | Archiving Commands |
| 3 | Auditing the System |
| 3.1 | Auditing Overview |
| 3.1.1 | Audit Files |
| 3.1.2 | Audit Tools |
| 3.1.2.1 | Command-Line Interface |
| 3.1.2.2 | Graphical Interface |
| 3.1.3 | Audit Masks |
| 3.1.3.1 | System Calls |
| 3.1.3.2 | Trusted Events |
| 3.1.3.3 | Site-Defined Events |
| 3.1.3.4 | Event Alias |
| 3.1.4 | Audit Records |
| 3.1.4.1 | Additional Entries in Audit Records |
| 3.2 | Configuring the Audit Subsystem |
| 3.2.1 | Centralizing Audit Data Storage |
| 3.2.1.1 | Configuring Centralized Audit Data Storage on the Audit Hub |
| 3.2.1.2 | Configuring Remote System Audit Data Storage on an Audit Hub |
| 3.3 | Managing the Audit Subsystem |
| 3.3.1 | Changing the Audit Subsystem Startup Defaults |
| 3.3.2 | Starting, Stopping, and Suspending the Audit Daemon |
| 3.3.3 | Archiving Audit Logs |
| 3.3.4 | Recovering Audit Data |
| 3.4 | Managing Audit Events |
| 3.4.1 | Displaying the Audit Mask |
| 3.4.2 | Identifying Events that can be Audited on the System |
| 3.4.3 | Enabling Audit Events |
| 3.4.4 | Disabling Audit Events |
| 3.4.5 | Tracing a Process |
| 3.4.5.1 | Displaying Trace Process Data |
| 3.4.5.2 | Auditing Active Processes |
| 3.4.5.3 | Dynamically Auditing Additional System Call Arguments |
| 3.4.6 | Auditing File Operations |
| 3.5 | Generating and Displaying Audit Reports |
| 3.5.1 | Filtering Audit Records |
| 3.5.2 | Displaying Abbreviated Audit Records |
| 3.5.3 | Dependencies Among Audit Events |
| 3.6 | Traditional UNIX Logging Tools |
| 3.7 | Auditing in a TruCluster |
| 3.7.1 | Cluster Command Examples |
| 3.8 | Responding to Audit Reports |
| A | Enhanced Security |
| A.1 | Installing Enhanced Security |
| A.2 | Enabling Enhanced Security |
| A.2.1 | Enabling Enhanced Security Considerations |
| A.2.1.1 | Using NIS |
| A.2.1.2 | Segment Sharing |
| A.2.1.3 | Execute Bit Set Only By Root |
| A.2.2 | Configuring Enhanced Security |
| A.2.2.1 | Aging |
| A.2.2.2 | Minimum Change Time |
| A.2.2.3 | Changing Controls |
| A.2.2.4 | Maximum Login Attempts |
| A.2.2.5 | Time Between Login Attempts |
| A.2.2.6 | Time Between Logins |
| A.2.2.7 | Per-Terminal Login Records |
| A.2.2.8 | Successful Login Logging |
| A.2.2.9 | Failed Login Logging |
| A.2.2.10 | Automatic Enhanced Profile Creation |
| A.2.2.11 | Vouching |
| A.2.2.12 | Encryption |
| A.3 | Enhanced Security Databases |
| A.3.1 | Enhanced (Protected) Password Database |
| A.3.2 | System Defaults Database |
| A.3.3 | Terminal Control Database |
| A.3.4 | File Control Database |
| A.3.5 | Device Assignment Database |
| A.4 | Enhanced Security Database Management Utilities |
| A.5 | Enhanced Security and Authenticating Users |
| A.5.1 | User Profiles |
| A.5.1.1 | Recovery of /etc/passwd Information |
| A.5.2 | Enhanced Security Authentication Database Integrity Checking |
| A.5.3 | Adding Applications to the File Control Database |
| A.6 | Enhanced Security and NIS |
| A.6.1 | Templates for NIS Accounts |
| A.6.2 | Configure a NIS Master with Enhanced Security |
| A.6.2.1 | Manual Procedure: Maps for Small User Account Databases |
| A.6.2.2 | Automated Procedure: Maps for Large User Account Databases |
| A.6.3 | Setting Up a NIS Slave Server with Enhanced Security |
| A.6.4 | Setting Up a NIS Client with Enhanced Security |
| A.6.5 | Moving Local Accounts to NIS |
| A.6.6 | Removing NIS Support |
| A.6.7 | Implementation Notes |
| A.6.8 | Troubleshooting NIS |
| A.7 | Enhanced Security in a TruCluster |
| A.7.1 | Upgrading from Base to Enhanced Security in a TruCluster |
| A.7.2 | Installing and Configuring Enhanced Security in a TruCluster |
| A.7.3 | Access Control Lists |
| A.7.4 | Distributed Logins and NIS |
| A.7.5 | Daemons |
| A.8 | Securing Devices |
| A.8.1 | Device Security Characteristics |
| A.8.1.1 | Modifying, Adding, and Removing Devices with the dxdevices Program |
| A.8.1.2 | Setting Default Values with the dxdevices Program |
| A.8.2 | Updating Security Databases |
| A.9 | Enhanced Security Troubleshooting |
| A.9.1 | Lock Files |
| A.9.2 | Required Files and File Contents |
| A.9.2.1 | The /tcb/files/auth.db Database |
| A.9.2.2 | The /etc/auth/system/ttys.db File |
| A.9.2.3 | The /etc/auth/system/default File |
| A.9.2.4 | The /etc/auth/system/devassign File |
| A.9.2.5 | The /etc/passwd File |
| A.9.2.6 | The /etc/group File |
| A.9.2.7 | The /sbin/rc[023] Files |
| A.9.2.8 | The /dev/console File |
| A.9.2.9 | The /dev/pts/* and /dev/tty* Files |
| A.9.2.10 | The /sbin/sulogin File |
| A.9.2.11 | The /sbin/sh File |
| A.9.2.12 | The /vmunix File |
| A.9.3 | Problems Logging In or Changing Passwords |
| B | Secure Shell |
| B.1 | Secure Shell Servers and Clients |
| B.2 | Secure Shell Overview |
| B.3 | Configuring the Secure Shell Server and Client |
| B.3.1 | Configuring the Server |
| B.3.2 | Configuring the Client |
| B.4 | Configuring Nonsecure Network Commands to Use Secure Shell |
| B.5 | Configuring Secure Shell User Authentication |
| B.5.1 | Configuring Password Authentication |
| B.5.2 | Configuring Public Key Authentication |
| B.5.2.1 | Configuring Public Key Authentication on the Client |
| B.5.2.2 | Configuring Public Key Authentication on the Server |
| B.5.2.3 | Accessing a Remote Server |
| B.5.2.4 | Restricting User Access |
| B.5.2.5 | Managing Passphrases |
| B.5.3 | Configuring Host-Based Authentication |
| B.6 | Managing the Secure Shell Server |
| B.6.1 | Starting, Stopping, Restarting, and Resetting the sshd2 Daemon |
| B.6.2 | Restricting Users to Home Directories |
| B.6.3 | Creating a Public and Private Host Key |
| B.6.4 | Forwarding TCP/IP Ports and X11 Data Through a Secure Shell Connection |
| B.6.4.1 | TCP/IP Port Forwarding |
| B.6.4.2 | X11 Forwarding |
| B.7 | Using the Secure Shell Commands |
| B.7.1 | Copying Files Between Clients and Servers |
| B.7.1.1 | Using the scp2 Command |
| B.7.1.2 | Using the sftp2 Command |
| B.7.2 | Logging In and Executing Commands on a Server |
| C | Single Sign On |
| C.1 | Kerberos Servers and Clients |
| C.2 | Kerberos Authentication Process |
| C.3 | Upgrading the SSO Software |
| C.4 | Installing and Configuring the SSO Software |
| C.4.1 | Installing and Configuring the SSO Software on the Windows 2000 System |
| C.4.1.1 | Extending the Active Directory Schema |
| C.4.1.2 | Updating the MMC |
| C.4.2 | Installing and Configuring the SSO Software on the Tru64 UNIX System |
| C.4.2.1 | Configuring the SSO Software |
| C.4.2.2 | Configuring the SSO Software in a TruCluster Server Environment |
| C.4.2.3 | Adding Other SIA Mechanisms with Kerberos (if required) |
| C.5 | SSO Configuration Files on Tru64 UNIX |
| C.5.1 | The krb.conf File |
| C.5.2 | The krb.realms File |
| C.5.3 | The v5srvtab File |
| C.5.4 | The .k5login File |
| C.5.5 | The ldapcd.conf File |
| C.5.6 | The ldapusers.deny File |
| C.6 | Creating Accounts and Groups |
| C.6.1 | Creating a User Account |
| C.6.1.1 | Creating a User Account Using the Tru64 UNIX creacct Command |
| C.6.1.2 | Creating a User Account Using the MMC Interface |
| C.6.2 | Setting a Principal's Password |
| C.6.3 | Creating a Computer Account |
| C.6.4 | Creating a Group |
| C.7 | Managing the SSO Software |
| C.7.1 | Requesting Tickets |
| C.7.2 | Displaying Tickets |
| C.7.3 | Removing the Credential Cache |
| C.7.4 | Managing the Service Key Table |
| C.8 | Troubleshooting the SSO Software |
| C.8.1 | SSO Configuration Problems |
| C.8.2 | Problems Using the kinit Command or Obtaining an Initial Ticket on Tru64 UNIX |
| C.8.3 | Password Prompting on Tru64 UNIX |
| C.8.4 | Problems with SSO in a TruCluster |
| D | Lightweight Directory Access Protocol |
| D.1 | LDAP Overview |
| D.2 | Installing the Tru64 UNIX LDAP Client Software |
| D.3 | Configuring the Tru64 UNIX LDAP Client Software |
| D.3.1 | Updating the ldapcd.conf File |
| D.3.2 | Setting the LDAP Runtime Configuration Variable |
| D.4 | Managing the LDAP Client Daemon |
| D.5 | Managing Access Control |
| D.5.1 | The ldapusers.deny File |
| D.5.2 | The ldapusers.allow File |
| E | C2 Level Security Configuration |
| E.1 | Establishing a Security Policy |
| E.2 | Minimum C2 Configuration |
| E.3 | Initial Configuration |
| E.3.1 | General Configuration |
| E.3.2 | Enhanced Passwords and Authentication Using secconfig |
| E.3.3 | Libraries |
| E.3.4 | Account Prototypes and Templates |
| E.3.5 | Configuring the Audit Subsystem |
| E.3.6 | Verifying That Your Installation Is Secure |
| E.3.7 | Configuring Network Security |
| E.3.8 | Postinstallation Security Configuration |
| E.3.8.1 | umask for Remote Access |
| E.3.8.2 | Devices |
| E.3.8.3 | Accounts |
| E.3.8.4 | Root Access |
| E.3.9 | Network Configuration |
| E.4 | Physical Security |
| E.5 | Applications |
| E.6 | Periodic Security Administration Procedures |
| E.7 | Reference Documents and Verification Tools |
| Glossary |
| Examples |
| 1-1 | Default /etc/sia/matrix.conf File |
| 1-2 | Sample /var/adm/sialog File |
| 2-1 | Setting Octal Permissions |
| 2-2 | Displaying the ACL for a File |
| 2-3 | Setting the ACL on a File |
| 3-1 | Sample Active Auditing Session |
| B-1 | Sample sshd2_config File |
| B-2 | Sample ssh2_config File |
| B-3 | Public Key Authentication Login Output |
| C-1 | Sample krb.conf File |
| C-2 | Sample krb.realms File |
| C-3 | Sample .k5login File |
| C-4 | Sample ldapcd.conf File |
| C-5 | Sample /etc/ldapusers.deny File |
| D-1 | Sample ldapcd.conf File |
| D-2 | Default ldapusers.deny File |
| Figures |
| 1-1 | Security Integration Architecture |
| 2-1 | Tru64 UNIX File Permission Fields |
| 3-1 | The Audit Subsystem |
| 3-2 | Audit Data Flow in a Cluster |
| A-1 | NIS and Enhanced Security Files |
| C-1 | New Object — User Window: Required Information |
| C-2 | New Object — User Window: Password Information |
| C-3 | Tru64 UNIX User Properties Dialog Box |
| C-4 | Group Properties Dialog Box |
| Tables |
| 1-1 | Comparing Authentication Methods |
| 1-2 | Secure Shell Commands |
| 2-1 | Tru64 UNIX Permission Codes |
| 2-2 | Octal Permission Combinations |
| 2-3 | How Octal Numbers Relate to Permission Fields |
| 2-4 | User Mask Permission Combinations |
| 2-5 | Example ACL Entries |
| 3-1 | System Calls Not Always Audited |
| 3-2 | State-Dependent Information |
| 3-3 | Traditional UNIX Log Files in /var/adm |
| A-1 | Enhanced Security Databases |
| A-2 | NIS Troubleshooting |
| B-1 | Traditional Nonsecure Network Commands and Secure Shell Commands |
| C-1 | SSO Configuration Files |
| C-2 | Caching Parameters |
| Index |