Features
HP-UX 11i Security Containment Version B.11.23.02 includes the following components:
•Compartments
Compartments isolate unrelated resources on a system, to prevent catastrophic damage to the system if one compartment is penetrated.
When configured in a compartment, an application has restricted access to resources (processes, binaries, data files, and communication channels used) outside its compartment. This restriction is enforced by the HP-UX kernel and cannot be overridden unless specifically configured to do so. If the application is compromised, it will not be able to damage other parts of the system because it is isolated by the compartment configuration.
•Fine-Grained Privileges
Traditional UNIX operating systems grant "all or nothing" administrative privileges based on the effective UID of the process that is running. If the process is running with the effective UID=0, it is granted all privileges. With fine-grained privileges, processes are granted only the privileges needed for the task and, optionally, only for the time needed to complete the task. Applications that are privilege-aware can elevate their privilege to the required level for the operation and lower it after the operation completes.
•HP-UX Role-Based Access Control (HP-UX RBAC)
Typical UNIX system administration commands must be run by a superuser (root user). Similar to kernel level system call access, access is usually "all or nothing" based on the user's effective UID. HP-UX Role-Based Access Control (HP-UX RBAC) enables you to group common or related tasks into a role. For example, a common role might be User and Group Administration. Once the role is created, users are assigned a role or set of roles that enables them to run the commands defined by those roles.
When you implement HP-UX RBAC, you enable non-root users to perform tasks previously requiring root privileges, without granting those users complete root privileges.
For more information about HP-UX RBAC, refer to the HP-UXRole-Based Access Control B.11.23.04 Release Notes.
•HP-UX Standard Mode Security Extensions (SMSE)
In addition to the new Security Containment features, HP-UX 11i v2 has been enhanced to support the following security features, previously available only in trusted mode:
—Audit
The HP-UX auditing system records security-related events for analysis. Administrators use auditing to detect and analyze security breaches. Auditing is now available on standard mode HP-UX systems; it was previously available only on trusted mode systems.
—User Database
Previously, all Standard Mode HP-UX security attributes and password policy restrictions were set on a systemwide basis. The introduction of the user database enables you to set security attributes on a per-user basis that overrides systemwide defaults.
You can use the user database to enforce the following security measures:
◦Lock a user account after a specified number of authentication failures
◦Display the last successful and unsuccessful login
◦Maintain a password history
◦Expire inactive user accounts
◦Prevent users from logging in with a null password
◦Restrict users to logging in only during specified time periods
