HP-UX 11i Security Containment

HP-UX 11i Security Containment provides the next generation of security features including the following:

Compartments
Fine-grained privileges
HP-UX Role-Based Access Control (HP-UX RBAC)
HP-UX Auditing System
Standard Mode Security Extensions

HP-UX 11i Security Containment is only available on the Web at http://software.hp.com and is expected to release in the near future.

Summary of Change

Compartments provide isolation between unrelated resources to prevent damage to a whole system if a compartment is penetrated. Applications configured in compartments have restricted access to resources outside their configured compartments.
Fine-grained privileges let you grant processes only the privileges needed for a specific task, only for the time needed to complete the task. Privilege-aware applications can elevate their privileges to the required level for an operation and lower it after the operation is complete.
HP-UX Role-Based Access Control (HP-UX RBAC) lets you group common or related tasks into roles. Once roles are created, you assign users to a role or set of roles that enable them to run the commands defined by those roles. RBAC allows users to perform tasks previously requiring root privileges, without granting the user full root privileges.
HP-UX Auditing System,^[37] with the installation of the Standard Mode Security Extensions (SMSE) product, provides the selective recording of events for analysis and detection of security breaches. Security containment makes auditing features available on standard mode systems. Auditing was previously available only in trusted mode.
Standard Mode Security Extensions (SMSE)^[38] (available on Software Pack) include several security attributes previously set on a system-wide basis, that can now be configured on a per-user basis. A new user database stores per-user information to support security features such as password history, auditing, and time-of-day login restrictions. This per-user information allows you to configure security features uniquely for each user.

Impact

By default, none of the features is active upon installation. You must manually activate containment features before use.

Compatibility

When configuring Security Containment, you must ensure that the resources and permissions needed by the applications you wish to run are consistent with the Security Containment settings you chose. Failure to do so can result in application degradation or malfunction.

Performance

There may be a small performance degradation after manually activating the new features.

Documentation

Refer to the following documents, available at http://docs.hp.com, for more information about HP-UX 11i Security Containment components and features:
- HP-UX Role-Based Access Control B.11.23.02 Release Notes
- HP-UX Standard Mode Security Extensions Release Notes
- HP-UX 11i Security Containment Administrator’s Guide
- HP-UX 11i Security Containment Release Notes
Further information can be found in the following manpages:
In addition, many system call manpages have been revised to reflect support for fine-grained privileges.
See also “HP-UX Auditing System” and “HP-UX Standard Mode Security Extensions”.

Obsolescence

Not applicable.

^[37]See “HP-UX Auditing System”.

^[38]See “HP-UX Standard Mode Security Extensions”.