6 Standard Mode Security Extensions

This chapter describes the Standard Mode Security Extensions features of HP-UX 11i Security Containment. This chapter addresses the following topics:

“Overview”

“Security Attributes and the User Database”

“Auditing”

Overview

HP-UX Standard Mode Security Extensions (HP-UX SMSE) is a group of features that combine to enhance both user and operating system security for HP-UX 11i v2. Starting with the HP-UX 11i version 2, September 2004 or later udpate, HP-UX SMSE includes enhancements or changes to the HP-UX auditing system, passwords, and logins for systems in standard mode. Previously, these features were supported only on systems converted to trusted mode. With HP-UX SMSE, you can use these features on a standard mode system.

NOTE: HP does not recommend that you use HP-UX SMSE on systems running in trusted mode.HP-UX SMSE makes available in standard mode many account and password policies currently available only by converting an HP-UX system to trusted mode. Policies configured with HP-UX SMSE are not enforced on systems running in trusted mode.

To determine whether a system has been converted to trusted mode, check for the following file:

/tcb/files/auth/system/default

If this file exists, the system is running in trusted mode. To convert the system back to standard mode, use the sam(1M) command.

Refer to security(4) for more information on configurations supported with each of the HP-UX SMSE security features.

The following new feature is included in HP-UX SMSE:

User Database Previously, all HP-UX security attributes and password policy restrictions were set on a systemwide basis. The introduction of the user database enables you to set security attributes on a per-user basis that overrides systemwide defaults.

The following trusted mode features are available in standard mode with HP-UX SMSE:

Audit all users and events on a system

Display the last successful and unsuccessful user logins

Lock a user account if there are too many authentication failures

Display password history

Expire inactive accounts

Prevent users from logging in with a null password

Restrict user logins to specific time periods

The following new features are included in HP-UX SMSE Version B.11.23.02:

When used in conjunction with HP-UX RBAC Version B.11.23.04, usage of the userdbset command can be restricted based on a user’s authorizations. See userdbset(1M) for more information.

The userstat command displays the account status of local users. It checks the status of local user accounts and reports abnormal conditions, such as account locks. See userstat(1M) for more information.

Overview 71

Page 71
Image 71
HP UX 11i Role-based Access Control (RBAC) Software manual Standard Mode Security Extensions, Overview