| Digital UNIX | ||
|---|---|---|
| Prev | Chapter 11. Security | Next |
The following C2 requirements specified in the Orange Book are supported by Digital UNIX Version 4.0 running enhanced security:
Audit
Identification and authentication
Object reuse
Discretionary access controls
System architecture
Integrity
Security testing
Security guide
The following audit features are provided in Digital UNIX Version 4.0:
A new dxaudit GUI (graphical user interface)
Command line interfaces compatible with those provided in ULTRIX Version 4.0 and higher releases
The ability to send audit logs to a remote host
Fine-grained preselection of system events, application events, and site-definable events
Fine-grained post-analysis of system events, application events, and site-definable events
Link-time configurability of audit subsystem
Per-user audit characteristics profile with enhanced Identification and Authorization (I&A)
The audit system is set up from the command line. Maintenance for the audit subsystem is done from the command line or with the dxaudit GUI.
Digital UNIX Version 4.0 intends to support the POSIX 1003.6 standard for audit when it is approved. The Digital implementation will also provide backward compatibility with the current audit interfaces. For more information, see the guide Security.
Digital's Security Interface Architecture (SIA) allows a single set of identification and authentication (I&A) utilities to work in either the nontrusted system or the trusted (enhanced security) system. By using the secsetup command, you can configure your system to use either nontrusted or enhanced security commands.
The following I&A features are provided in Digital UNIX Version 4.0 running enhanced security:
Password control
Configurable maximum password length is up to 80 characters.
Configurable password lifetimes. This includes an optional minimum interval between password changes.
A floating value of the minimum password length, based directly on the Department of Defense Password Management Guideline (Green Book) guidelines and the password lifetime.
Per user password generation flags, which include the ability to require a user to have a generated password.
Recording of who (besides the user) last changed the user's password.
Login control
Recording of last terminal and time of the last successful login, and of the last unsuccessful login attempt.
Automatic account lockout after a specified number of consecutive bad access attempts. This feature can be overridden by root in case of system database corruption.
A per-terminal setting for delay between consecutive login attempts, and the maximum amount of time each attempt is allowed before being declared a failed attempt.
A per-terminal setting for maximum consecutive failed login attempts before locking any new accesses from that terminal.
A notion of ownership for pseudoaccounts.
A notion of whether the account is "retired" or "locked."
Code for handling a remote host like a terminal, without confusing the issue of a pty versus a host. This is only set up to handle Internet hosts, and has no support for similar concepts that would be useful for Local Area Transport (LAT) and DECnet.
A notion of system default values for the various I&A fields.
A CDE-based GUI (dxaccounts) to perform many of the I&A administration tasks.
New edauth, convauth, and convuser utilities to make the migration of accounts to the enhanced security level easier.
Object reuse is a standard feature of Digital UNIX Version 4.0. Object reuse ensures that the physical storage (memory or disk space) assigned to shared objects or physical storage that is released prior to reassignment to another user, is cleared or scrubbed. Examples of object reuse are disk space that is released after a file is truncated or physical memory that is released prior to reassignment to another user to read.
Discretionary access controls (DACs) are a standard feature of Digital UNIX Version 4.0. Discretionary access control provides the capability for users to define how the resources they create can be shared. The traditional UNIX permission bits provide this capability.
The Digital UNIX Version 4.0 system also provides optional access control lists (ACLs) to provide object protection at the individual user level.
Setting permissions, including ACLs, is discussed in the Security manual.
Digital UNIX Version 4.0 maintains a separate execution domain for the trusted computing base (TCB) components using hardware memory management to protect the TCB while it is executing. It maintains a kernel address space for the operating system, and maintains separate address spaces for each instance of an executing trusted (or untrusted) application process. Writable address space sharing between processes is controlled by discretionary access controls (DAC), with the default being to disallow sharing. Sharing of read-only address space sections (for example, shared libraries) can be disabled.
Digital UNIX Version 4.0 also protects the on-disk TCB components using discretionary access control. Attempted violations of the DAC protections can be audited so that remedial action can be taken by the system security officer.
In addition, the TCB is structured into well defined, largely independent modules.
Digital UNIX Version 4.0 is designed, developed, and maintained under a configuration management system that controls changes to the specifications, documentation, source code, object code, hardware, firmware, and test suites. Tools, which are also maintained under configuration control, are provided to control and automate the generation of new versions of the TCB from source code and to verify that the correct versions of the source have been incorporated into the new TCB version. The master copies of all material used to generate the TCB are protected from unauthorized modification or destruction.
Digital UNIX Version 4.0 provides the capability to validate the correct operation of hardware, firmware, and software components of the TCB. The firmware includes power-on diagnostics and more extensive diagnostics that can optionally be enabled. The firmware itself resides in EEPROM and can be physically write-protected. It can also be compared against, or reloaded from, an off-line master copy. Digital's service engineers can run additional hardware diagnostics as well.
The firmware can require authorization to load any operating software other than the default or to execute privileged console monitor commands that examine or modify memory.
Once the operating system is loaded, system diagnostics can be run to validate the correct operation of the hardware and software. In addition, test suites are available to ensure the correct operation of the operating system software.
The following two tools can be run automatically to detect inconsistencies in the TCB software and databases:
fverify
The fverify command reads subset inventory records from standard input and verifies that the attributes for the files on the system match the attributes listed in the corresponding records. Missing files and inconsistencies in file size, checksum, user ID, group ID, permissions, and file type are reported.
authck
The authck program checks both the overall structure and internal field consistency of all components of the authentication database and reports all problems that it finds.
The Digital UNIX Version 4.0 operating system provides system administrators with tools to improve the ease of use of administering system security.
System administrators can select the security level associated with their system. The default security level consists of object reuse and DAC; by running the secsetup command, system administrators can select enhanced security features. The audit subsystem and ACL subsystem are configurable at kernel link time, regardless of the security level of the system.
Three GUIs are provided to deal with the day-to-day security administration on the local machine. Based on OSF/Motif, the enhanced security version dxaccounts (Account Manager under the CDE-based system administration utilities) utility is used to create and enhanced user accounts, modify of system defaults, and the audit mask for users.
The dxaudit GUI controls the administration of the audit system and the generation of audit reports. Administrators have the flexibility to configure the audit subsystem without the requirement of installing additional enhanced security features.
The dxdevices GUI is used to configure secure devices.
The old XSysAdmin and XIsso interfaces are provided for compatibility and will be retired in a future release.
For more information, see the dxaccounts(8X), dxaudit(8X), and dxdevices(8X) reference pages.
| Prev | Home | Next |
| Security | Up | Other Security Features |