Presentation is loading. Please wait.

Presentation is loading. Please wait.

FORUM TOPICS HP-UX UNIX Security Sharing files in HP-UX UNIX with Windows ExcaliburEDGE Password Validation.

Similar presentations


Presentation on theme: "FORUM TOPICS HP-UX UNIX Security Sharing files in HP-UX UNIX with Windows ExcaliburEDGE Password Validation."— Presentation transcript:

1

2 FORUM TOPICS HP-UX UNIX Security Sharing files in HP-UX UNIX with Windows ExcaliburEDGE Password Validation

3 Presenter Rod Hunley Excalibur Systems Support Manager P2 Energy Solutions

4 STS Staff Tony Castillo Jim Cannon Rod Hunley Byron Ward Kham Laychaypha

5 OVERVIEW HP-UX UNIX Security Importance of security Definitions HP-UX with un-trusted mode HP-UX with shadow passwords HP-UX with TCB (trusted mode) HP-UX & PAM/NTLM HP-UX & TCB & PAM/NTLM Sharing files in HP-UX UNIX with Windows SAMBA CIFS/9000

6 OVERVIEW ExcaliburEDGE Password Validation Setups Password Validation Options References

7 HP-UX UNIX Security Importance of security Protect corporate information from: –theft, corruption, or unauthorized access Comply with internal IT standards Comply with Sarbanes-Oxley (SOX) audits

8 HP-UX UNIX Security Definitions What is a login? The UNIX program which reads and verifies a user's user name and password and starts an interactive session Why is a user name important? Only authenticated users are allowed access to the UNIX server Access to programs/files are based on user names and groups How does the verification work? The entered users name is compared to a list of names in a system file, and then the entered password is compared the encrypted password stored in a system file

9 HP-UX UNIX Security HP-UX (un-trusted mode) Un-trusted mode Standard delivery on HP-UX servers Concept Authenticate & validate against /etc/passwd file

10 HP-UX UNIX Security HP-UX (un-trusted mode) /etc/passwd file structure (colon delimited) username encrypted password user number group number 4 optional text fields separated by commas users home directory startup shell

11 HP-UX UNIX Security #cat /etc/passwd root:/.57wLPQp2cV6:0:3::/:/sbin/ksh rootlike:/.57wLPQp2cV6:0:3::/:/sbin/ksh daemon:*:1:5::/:/sbin/sh bin:*:2:2::/usr/bin:/sbin/sh sys:*:3:3::/: adm:*:4:4::/var/adm:/sbin/sh uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/ uucico

12 HP-UX UNIX Security lp:*:9:7::/var/spool/lp:/sbin/sh nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico hpdb:*:27:1:ALLBASE:/:/sbin/sh nobody:*:-2:-2::/: www:*:30:1::/: webadmin:*:40:1::/usr/obam/server/nologindir:/usr/bin/false smbnull:*:101:101:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/sh opc_op:*:777:77:OpC default operator:/home/opc_op:/usr/bin/ksh unidata:CuRdujgUu53qA:200:200:,,,:/home/unidata:/usr/bin/ksh

13 HP-UX UNIX Security HP-UX (un-trusted mode) Ownership & permissions of important files Issues with this security setup Encrypted password is in a world readable file Possible that file would be read and passwords cracked #ls -la /etc/passwd -r--r--r-- 1 root sys 818 Aug 20 15:39 /etc/passwd

14 HP-UX UNIX Security HP-UX with shadow passwords Concept Move encrypted passwords to a file that is secure Requirements HP-UX 11.11(i) Only Implementation Install HP supplied software bundle Run conversion program Reboot

15 HP-UX UNIX Security HP-UX with shadow passwords Verification of a shadow password bundle installation #swlist # Initializing... # Contacting target "siafu.petroleumplace.com"... # # Target: siafu.petroleumplace.com:/ # # # Bundle(s): #... ShadowPassword B HP-UX Shadow Password Bundle.

16 HP-UX UNIX Security HP-UX with shadow passwords Structure of /etc/password with shadow passwords Encrypted password is moved and replaced with an x #cat /etc/passwd (after conversion) root:x:0:3::/:/sbin/ksh rootlike:x:0:3::/:/sbin/ksh daemon:x:1:5::/:/sbin/sh bin:x:2:2::/usr/bin:/sbin/sh sys:x:3:3::/: adm:x:4:4::/var/adm:/sbin/sh uucp:x:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico lp:x:9:7::/var/spool/lp:/sbin/sh nuucp:x:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico hpdb:x:27:1:ALLBASE:/:/sbin/sh nobody:x:-2:-2::/: www:x:30:1::/: webadmin:x:40:1::/usr/obam/server/nologindir:/usr/bin/false smbnull:x:101:101:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/sh opc_op:x:777:77:OpC default operator:/home/opc_op:/usr/bin/ksh unidata:x:200:200:,,,:/home/unidata:/usr/bin/ksh #ls -la /etc/passwd -r--r--r-- 1 root sys 818 Aug 20 15:39 /etc/passwd

17 HP-UX UNIX Security #ls -la /etc/shadow -r root sys 470 Aug 20 15:39 /etc/shadow #cat /etc/shadow root:/.57wLPQp2cV6:12650:::::: rootlike:/.57wLPQp2cV6:12650:::::: daemon:*:12650:::::: bin:*:12650:::::: sys:*:12650:::::: adm:*:12650:::::: uucp:*:12650:::::: lp:*:12650:::::: nuucp:*:12650:::::: hpdb:*:12650:::::: nobody:*:12650:::::: www:*:12650:::::: webadmin:*:12650:::::: smbnull:*:12650:::::: opc_op:*:12650:::::: unidata:CuRdujgUu53qA:12650::::::

18 HP-UX UNIX Security HP-UX with TCB (Trusted Mode) What is TCB? The Hewlett-Packard C2-level trusted system consists of the HP-UX operating system configured in trusted mode and its commands, utilities, and subsystems along with supported hardware. This results in a system designed to meet the criteria of a C2-level trusted system, as described in Section 2.2 of the Department of Defense Trusted Computer System Evaluation Criteria, DOD STD, December 1985, and the E3/FC2 security level as defined by the Information Technology Security Evaluation Criteria (ITSEC) established by the European Community.

19 HP-UX UNIX Security HP-UX with TCB (Trusted Mode) Why is TCB better than un-trusted system or shadow password system? Provides more stringent password authentication and system auditing Terminal access control Time-base access controls

20 HP-UX UNIX Security HP-UX with TCB (Trusted Mode) How is it implemented? An understanding of the trusted system structure A lot of planning Train support personnel Run SAM to run conversion to TCB Be prepared initially for questions/problems

21 HP-UX UNIX Security HP-UX with TCB (Trusted Mode) Encrypted password is moved and replaced with an * #cat /etc/passwd (after conversion to trusted system) root:*:0:3::/:/sbin/ksh daemon:*:1:5::/:/sbin/sh bin:*:2:2::/usr/bin:/sbin/sh sys:*:3:3::/: adm:*:4:4::/var/adm:/sbin/sh uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico lp:*:9:7::/var/spool/lp:/sbin/sh nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico hpdb:*:27:1:ALLBASE:/:/sbin/sh www:*:30:1::/: webadmin:*:40:1::/usr/obam/server/nologindir:/usr/bin/false smbnull:*:103:103:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/sh opc_op:*:777:77:OpC default operator:/home/opc_op:/usr/bin/ksh tftp:*:510:8:Trivial FTP user:/usr/tftpdir:/usr/bin/false nsmail:*:110:101:NetScape Mail,,,:/home/nsmail:/usr/bin/sh mailsrv:*:102:101:Netscape Mail Server,,,:/home/mailsrv:/usr/bin/sh unidata:*:204:200:unidata user:/home/unidata:/usr/bin/ksh

22 HP-UX UNIX Security HP-UX with TCB (Trusted Mode) #ls -ld /tcb dr-xr-x--x 3 root sys 96 Apr 29 13:36 /tcb #ls -ld /tcb/files drwxrwx--x 3 root sys 96 Apr 29 13:36 /tcb/files #ls -ld /tcb/files/auth drwxrwx--x 55 root sys 1024 Apr 29 13:36 tcb/files/auth #cd /tcb/files/auth # ls A G M S Y e k q v B H N T Z f l r w C I O U a g m s x D J P V b h n system y E K Q W c i o t z F L R X d j p u #ls –ld /tcb/files/auth/u drwxrwx--- 2 root sys 96 Aug 20 21:30 u

23 HP-UX UNIX Security HP-UX with TCB (Trusted Mode) #cd u #ls -la total 8 drwxrwx--- 2 root sys 96 Aug 20 21:30. drwxrwx--x 55 root sys 1024 Apr 29 13:36.. -rw-rw-r-- 1 root root 210 Aug 20 21:30 unidata -rw-rw-r-- 1 root root 151 Apr 29 13:36 ursetta -rw-rw-r-- 1 root root 126 Apr 29 13:36 uucp #cat unidata unidata:u_name=unidata:u_id#204:\ :u_pwd=P36658YzF7/z6:\ :u_auditid#22:\ :u_auditflag#1:\ :u_pswduser=unidata:u_suclog# :u_unsuclog# :u_unsuctt y=pts/ta:\

24 HP-UX UNIX Security HP-UX & PAM/NTLM What is PAM? The pluggable authentication module (PAM) framework provides the ability to incorporate multiple authentication mechanisms into an existing system through the use of pluggable modules. The PAM framework consists of a library, pluggable modules, and a configuration file. Out-of-the-box HP-UX PAM is set of perform UNIX authentication, however other types can be plugged in, for example, NTLM and Kerberos 5, used by Windows Active Directory. Concept authenticate UNIX logins against Windows Active Directory, not the UNIX password files

25 HP-UX UNIX Security HP-UX & PAM/NTLM What are the prerequisites? CIFS/9000(Samba) must be: installed running in Domain Authentication mode UNIX server must have joined the Domain UNIX /etc/passwd file still has to exist and new users created on UNIX server This depends upon combinations of sufficient vs. required How is it implemented? Replace and configure /etc/pam.conf file

26 HP-UX UNIX Security HP-UX & PAM/NTLM Sample /etc/pam.conf # cat /etc/pam.conf # # PAM Configuration # # Account Management # dtaction account required /usr/lib/security/libpam_unix.1 dtlogin account required /usr/lib/security/libpam_unix.1 ftp account required /usr/lib/security/libpam_unix.1 login account sufficient /usr/lib/security/libpam_ntlm.1 login account required /usr/lib/security/libpam_unix.1 su account required /usr/lib/security/libpam_unix.1 OTHER account required /usr/lib/security/libpam_unix.1 # # Authentication Management # dtaction auth required /usr/lib/security/libpam_unix.1 dtlogin auth required /usr/lib/security/libpam_unix.1 ftp auth required /usr/lib/security/libpam_ntlm.1

27 HP-UX UNIX Security login auth sufficient /usr/lib/security/libpam_ntlm.1 login auth required /usr/lib/security/libpam_unix.1 try_first_pass su auth required /usr/lib/security/libpam_unix.1 OTHER auth required /usr/lib/security/libpam_unix.1 # # Password Management # dtaction password required /usr/lib/security/libpam_unix.1 dtlogin password required /usr/lib/security/libpam_unix.1 login password sufficient /usr/lib/security/libpam_ntlm.1 login password required /usr/lib/security/libpam_unix.1 passwd password required /usr/lib/security/libpam_unix.1 OTHER password required /usr/lib/security/libpam_unix.1 # # Session Management # dtaction session required /usr/lib/security/libpam_unix.1 dtlogin session required /usr/lib/security/libpam_unix.1 login session required /usr/lib/security/libpam_unix.1 OTHER session required /usr/lib/security/libpam_unix.1 #

28 HP-UX UNIX Security HP-UX & TCB & PAM/NTLM Concept authenticate user against Windows Active Directory while having the UNIX passwords in a secure location Implementation This is combination of two previously discussed methods

29 HP-UX UNIX File Sharing SAMBA What is it? Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Samba is software that can be run on a platform other than Microsoft Windows that allows the host to interact with a Microsoft Windows client or server as if it is a Windows file and print server.

30 HP-UX UNIX File Sharing CIFS/9000 What is it? CIFS/9000 provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols. CIFS/9000 implements both the server and client components of the CIFS protocol on HP-UX. The current CIFS/9000 Server (version A.01.08) is based on the well-established open-source software Samba, version 2.2.3a, and provides file and print services to CIFS clients including Windows NT, XP, 2000 and HP-UX machines running CIFS/9000 Client software.

31 HP-UX UNIX File Sharing CIFS/9000 What is CIFS/9000 used for in ExcaliburEDGE software? Its main function in ExcaliburEDGE is to allow a Windows- based PC to map a network drive to a directory structure on a UNIX server It allows the Windows user the ability drag n drop files to and from the UNIX server to previously configured locations

32 HP-UX UNIX File Sharing CIFS/9000 How is it implemented? Preloaded on all new HP servers Can be installed from a HP supplied depot file May require HP-UX patches before installation

33 HP-UX UNIX File Sharing CIFS/9000 Considerations Authentication options Domain User Share HP-UX user ids ids same as Windows ids different than Windows Sharing Define UNIX directories to be shared Permissions Read only Write

34 HP-UX UNIX File Sharing CIFS/9000 Configuration smb.conf man smb.conf HP-UX server joins the Domain man smbpasswd Use PCs use Windows Explorer to map drives to shares on UNIX server

35 HP-UX UNIX File Sharing CIFS/9000 Sample /etc/opt/samba/smb.conf # Samba config file created using SWAT # from ( ) # Date: 2003/06/18 15:01:33 # Global parameters [global] workgroup = EAED1 netbios name = HELIOS security = DOMAIN encrypt passwords = Yes password server = devnt2 username map = /etc/opt/samba/usermap.txt printcap name = /var/opt/samba/printers local master = No wins server = guest account = ftp [printers] path = /var/spool/lp/public guest ok = Yes printable = Yes

36 HP-UX UNIX File Sharing CIFS/9000 Sample /etc/opt/samba/smb.conf (continued) [homes] comment = Home Directories path = /home/%S writeable = Yes create mask = 0775 [tmp] comment = /tmp on helios path = /tmp writeable = Yes create mask = 0775 guest ok = Yes

37 HP-UX UNIX File Sharing Sample /etc/opt/samba/smb.conf (continued) [hold] comment = /sb/SB.EXC/_HOLD_ on helios path = /sb/SB.EXC/_HOLD_ writeable = Yes create mask = 0775 guest ok = Yes [GVMI_UPLOAD] comment = /sb/SB.EXC/data/GL/GVMI_UPLOAD on helios path = /sb/SB.EXC/data/GL/GVMI_UPLOAD writeable = Yes create mask = 0775 guest ok = Yes [alltests] comment = /sb/SB.EXC/data/EDI/alltests path = /sb/SB.EXC/data/EDI/alltests writeable = Yes create mask = 0775

38 ExcaliburEDGE Password Validation Setups User Group Menus

39 ExcaliburEDGE Password Validation Default (as delivered by IBM) Authentication against the SB+ security files Password is validated against the SB+ encrypted password No password composition rules are in effect Null password is allowed

40 ExcaliburEDGE Password Validation

41 SB Supplied SB+ password validation can be turned by STS staff It will enforce the following rules: 1-Password that contains a sequence of letters or numbers of 3 or more, such as ABC, or Password that contains repetitive characters of 3 or more, such as using the same letter 3 times in a row, like AAA. 3-Password can not contain comma. 4-Password can not be one of the last 10 password used. 5-Password can not be all numeric. 6-Password can not be null. 7-Password can not be the same as the user id. 8-Password must be between 4-50 characters.

42 ExcaliburEDGE Password Validation Custom SB Supplied rules + custom programming Lock account after a user defined number of unsuccessful tries Custom programming More stringent password composition rules Plus rules 1-4 of the 8 SB supplied rules

43 REFERENCES Administering Your HP-UX Trusted System _top.html&con=/hpux/onlinedocs/B /00/00/7- con.html&toc=/hpux/onlinedocs/B /00/00/7- toc.html&searchterms=tcb&queryid= SAMBA CIFS/ _top.html&con=/hpux/onlinedocs/B /00/00/3- con.html&toc=/hpux/onlinedocs/B /00/00/3- toc.html&searchterms=CIFS/9000&queryid=


Download ppt "FORUM TOPICS HP-UX UNIX Security Sharing files in HP-UX UNIX with Windows ExcaliburEDGE Password Validation."

Similar presentations


Ads by Google