HP-UX UNIX Security Importance of security Protect corporate information from: –theft, corruption, or unauthorized access Comply with internal IT standards Comply with Sarbanes-Oxley (SOX) audits
HP-UX UNIX Security Definitions What is a login? The UNIX program which reads and verifies a user's user name and password and starts an interactive session Why is a user name important? Only authenticated users are allowed access to the UNIX server Access to programs/files are based on user names and groups How does the verification work? The entered users name is compared to a list of names in a system file, and then the entered password is compared the encrypted password stored in a system file
HP-UX UNIX Security HP-UX (un-trusted mode) Un-trusted mode Standard delivery on HP-UX servers Concept Authenticate & validate against /etc/passwd file
HP-UX UNIX Security HP-UX (un-trusted mode) /etc/passwd file structure (colon delimited) username encrypted password user number group number 4 optional text fields separated by commas users home directory startup shell
HP-UX UNIX Security lp:*:9:7::/var/spool/lp:/sbin/sh nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico hpdb:*:27:1:ALLBASE:/:/sbin/sh nobody:*:-2:-2::/: www:*:30:1::/: webadmin:*:40:1::/usr/obam/server/nologindir:/usr/bin/false smbnull:*:101:101:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/sh opc_op:*:777:77:OpC default operator:/home/opc_op:/usr/bin/ksh unidata:CuRdujgUu53qA:200:200:,,,:/home/unidata:/usr/bin/ksh
HP-UX UNIX Security HP-UX (un-trusted mode) Ownership & permissions of important files Issues with this security setup Encrypted password is in a world readable file Possible that file would be read and passwords cracked #ls -la /etc/passwd -r--r--r-- 1 root sys 818 Aug 20 15:39 /etc/passwd
HP-UX UNIX Security HP-UX with shadow passwords Concept Move encrypted passwords to a file that is secure Requirements HP-UX 11.11(i) Only Implementation Install HP supplied software bundle Run conversion program Reboot
HP-UX UNIX Security HP-UX with shadow passwords Verification of a shadow password bundle installation #swlist # Initializing... # Contacting target "siafu.petroleumplace.com"... # # Target: siafu.petroleumplace.com:/ # # # Bundle(s): #... ShadowPassword B HP-UX Shadow Password Bundle.
HP-UX UNIX Security HP-UX with shadow passwords Structure of /etc/password with shadow passwords Encrypted password is moved and replaced with an x #cat /etc/passwd (after conversion) root:x:0:3::/:/sbin/ksh rootlike:x:0:3::/:/sbin/ksh daemon:x:1:5::/:/sbin/sh bin:x:2:2::/usr/bin:/sbin/sh sys:x:3:3::/: adm:x:4:4::/var/adm:/sbin/sh uucp:x:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico lp:x:9:7::/var/spool/lp:/sbin/sh nuucp:x:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico hpdb:x:27:1:ALLBASE:/:/sbin/sh nobody:x:-2:-2::/: www:x:30:1::/: webadmin:x:40:1::/usr/obam/server/nologindir:/usr/bin/false smbnull:x:101:101:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/sh opc_op:x:777:77:OpC default operator:/home/opc_op:/usr/bin/ksh unidata:x:200:200:,,,:/home/unidata:/usr/bin/ksh #ls -la /etc/passwd -r--r--r-- 1 root sys 818 Aug 20 15:39 /etc/passwd
HP-UX UNIX Security HP-UX with TCB (Trusted Mode) What is TCB? The Hewlett-Packard C2-level trusted system consists of the HP-UX operating system configured in trusted mode and its commands, utilities, and subsystems along with supported hardware. This results in a system designed to meet the criteria of a C2-level trusted system, as described in Section 2.2 of the Department of Defense Trusted Computer System Evaluation Criteria, DOD STD, December 1985, and the E3/FC2 security level as defined by the Information Technology Security Evaluation Criteria (ITSEC) established by the European Community.
HP-UX UNIX Security HP-UX with TCB (Trusted Mode) Why is TCB better than un-trusted system or shadow password system? Provides more stringent password authentication and system auditing Terminal access control Time-base access controls
HP-UX UNIX Security HP-UX with TCB (Trusted Mode) How is it implemented? An understanding of the trusted system structure A lot of planning Train support personnel Run SAM to run conversion to TCB Be prepared initially for questions/problems
HP-UX UNIX Security HP-UX with TCB (Trusted Mode) Encrypted password is moved and replaced with an * #cat /etc/passwd (after conversion to trusted system) root:*:0:3::/:/sbin/ksh daemon:*:1:5::/:/sbin/sh bin:*:2:2::/usr/bin:/sbin/sh sys:*:3:3::/: adm:*:4:4::/var/adm:/sbin/sh uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico lp:*:9:7::/var/spool/lp:/sbin/sh nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico hpdb:*:27:1:ALLBASE:/:/sbin/sh www:*:30:1::/: webadmin:*:40:1::/usr/obam/server/nologindir:/usr/bin/false smbnull:*:103:103:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/sh opc_op:*:777:77:OpC default operator:/home/opc_op:/usr/bin/ksh tftp:*:510:8:Trivial FTP user:/usr/tftpdir:/usr/bin/false nsmail:*:110:101:NetScape Mail,,,:/home/nsmail:/usr/bin/sh mailsrv:*:102:101:Netscape Mail Server,,,:/home/mailsrv:/usr/bin/sh unidata:*:204:200:unidata user:/home/unidata:/usr/bin/ksh
HP-UX UNIX Security HP-UX with TCB (Trusted Mode) #ls -ld /tcb dr-xr-x--x 3 root sys 96 Apr 29 13:36 /tcb #ls -ld /tcb/files drwxrwx--x 3 root sys 96 Apr 29 13:36 /tcb/files #ls -ld /tcb/files/auth drwxrwx--x 55 root sys 1024 Apr 29 13:36 tcb/files/auth #cd /tcb/files/auth # ls A G M S Y e k q v B H N T Z f l r w C I O U a g m s x D J P V b h n system y E K Q W c i o t z F L R X d j p u #ls –ld /tcb/files/auth/u drwxrwx--- 2 root sys 96 Aug 20 21:30 u
HP-UX UNIX Security HP-UX & PAM/NTLM What is PAM? The pluggable authentication module (PAM) framework provides the ability to incorporate multiple authentication mechanisms into an existing system through the use of pluggable modules. The PAM framework consists of a library, pluggable modules, and a configuration file. Out-of-the-box HP-UX PAM is set of perform UNIX authentication, however other types can be plugged in, for example, NTLM and Kerberos 5, used by Windows Active Directory. Concept authenticate UNIX logins against Windows Active Directory, not the UNIX password files
HP-UX UNIX Security HP-UX & PAM/NTLM What are the prerequisites? CIFS/9000(Samba) must be: installed running in Domain Authentication mode UNIX server must have joined the Domain UNIX /etc/passwd file still has to exist and new users created on UNIX server This depends upon combinations of sufficient vs. required How is it implemented? Replace and configure /etc/pam.conf file
HP-UX UNIX Security HP-UX & TCB & PAM/NTLM Concept authenticate user against Windows Active Directory while having the UNIX passwords in a secure location Implementation This is combination of two previously discussed methods
HP-UX UNIX File Sharing SAMBA What is it? Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Samba is software that can be run on a platform other than Microsoft Windows that allows the host to interact with a Microsoft Windows client or server as if it is a Windows file and print server.
HP-UX UNIX File Sharing CIFS/9000 What is it? CIFS/9000 provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols. CIFS/9000 implements both the server and client components of the CIFS protocol on HP-UX. The current CIFS/9000 Server (version A.01.08) is based on the well-established open-source software Samba, version 2.2.3a, and provides file and print services to CIFS clients including Windows NT, XP, 2000 and HP-UX machines running CIFS/9000 Client software.
HP-UX UNIX File Sharing CIFS/9000 What is CIFS/9000 used for in ExcaliburEDGE software? Its main function in ExcaliburEDGE is to allow a Windows- based PC to map a network drive to a directory structure on a UNIX server It allows the Windows user the ability drag n drop files to and from the UNIX server to previously configured locations
HP-UX UNIX File Sharing CIFS/9000 How is it implemented? Preloaded on all new HP servers Can be installed from a HP supplied depot file May require HP-UX patches before installation
HP-UX UNIX File Sharing CIFS/9000 Considerations Authentication options Domain User Share HP-UX user ids ids same as Windows ids different than Windows Sharing Define UNIX directories to be shared Permissions Read only Write
HP-UX UNIX File Sharing CIFS/9000 Configuration smb.conf man smb.conf HP-UX server joins the Domain man smbpasswd Use PCs use Windows Explorer to map drives to shares on UNIX server
HP-UX UNIX File Sharing CIFS/9000 Sample /etc/opt/samba/smb.conf # Samba config file created using SWAT # from ( ) # Date: 2003/06/18 15:01:33 # Global parameters [global] workgroup = EAED1 netbios name = HELIOS security = DOMAIN encrypt passwords = Yes password server = devnt2 username map = /etc/opt/samba/usermap.txt printcap name = /var/opt/samba/printers local master = No wins server = guest account = ftp [printers] path = /var/spool/lp/public guest ok = Yes printable = Yes
ExcaliburEDGE Password Validation Setups User Group Menus
ExcaliburEDGE Password Validation Default (as delivered by IBM) Authentication against the SB+ security files Password is validated against the SB+ encrypted password No password composition rules are in effect Null password is allowed
ExcaliburEDGE Password Validation
SB Supplied SB+ password validation can be turned by STS staff It will enforce the following rules: 1-Password that contains a sequence of letters or numbers of 3 or more, such as ABC, or Password that contains repetitive characters of 3 or more, such as using the same letter 3 times in a row, like AAA. 3-Password can not contain comma. 4-Password can not be one of the last 10 password used. 5-Password can not be all numeric. 6-Password can not be null. 7-Password can not be the same as the user id. 8-Password must be between 4-50 characters.
ExcaliburEDGE Password Validation Custom SB Supplied rules + custom programming Lock account after a user defined number of unsuccessful tries Custom programming More stringent password composition rules Plus rules 1-4 of the 8 SB supplied rules
REFERENCES Administering Your HP-UX Trusted System _top.html&con=/hpux/onlinedocs/B /00/00/7- con.html&toc=/hpux/onlinedocs/B /00/00/7- toc.html&searchterms=tcb&queryid= SAMBA CIFS/ _top.html&con=/hpux/onlinedocs/B /00/00/3- con.html&toc=/hpux/onlinedocs/B /00/00/3- toc.html&searchterms=CIFS/9000&queryid=