HP-UX Standard Mode Security Extensions

The HP-UX Standard Mode Security Extensions security features include enhancements or changes to be used in standard mode that were previously available only in trusted mode systems.

The software is in the StdModSecExt bundle and is available at HP Software Depot at http://software.hp.com and on Software Pack (SPK) for HP-UX 11i v2 May 2005. For more information about SPK, see “Software Pack (Optional HP-UX 11i v2 Core Enhancements)”.

Summary of Change

Several security features previously available only in trusted mode are now available on standard mode systems.^[44] In addition, several security attributes can now be configured with a system-wide default or with a per-user value.

The following security features are now available in standard mode:

Auditing user and system activities.
Account locking after too many authentication failures.
Displaying the last successful and unsuccessful login.
Preventing the re-use of passwords in the password history.
Preventing logins with null passwords.
Restricting logins to specific time periods.
Expiring inactive accounts.

The above security features have been implemented by the following HP-UX changes:

The auditing system.
The /etc/default/security configuration file (system-wide security defaults).
The /etc/pam.conf configuration file and the PAM libraries.
The libsec routines.
The addition of a user database for per-user configuration.

Also see “HP-UX Auditing System” and “HP-UX 11i Security Containment”.

Impact

The HP-UX Standard Mode Security Extensions bundle can be installed on HP-UX 11i v2 September 2004 or later.

Each of the security features is optionally configured. The HP-UX Standard Mode Security Extensions bundle does not change systems running in trusted mode.

The following products or software are related to HP-UX Standard Mode Security Extensions:

The HP-UX Security Attributes Configuration product configures system-wide and per-user values of security attributes. It includes graphical and terminal user interfaces. This product requires the StdModSecExt bundle to be installed on the same HP-UX system. See “HP-UX Security Attributes Configuration” and also refer to the HP-UX Security Attributes Configuration Release Notes at http://docs.hp.com.
The HP-UX 11i Security Containment software provides the next generation of security features including compartments, fine-grained privileges, Role-based Access Control, and Standard Mode Security Extensions. The StdModSecExt bundle is also included with the HP-UX Security Containment bundle. See “HP-UX 11i Security Containment” and also refer to the HP-UX Security Containment Release Notes at http://docs.hp.com.

Compatibility

If you choose to load only the May 2005 version of this feature, without doing a complete update to the May 2005 version of HP-UX 11i v2, you must first load the September 2004 version of HP-UX 11i v2.

Performance

There are no known performance issues.

Documentation

For further information, see the product Web page at http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=StdModSecExt.
The following documents, available at http://docs.hp.com/en/internet.html, describe the features of the HP-UX Standard Mode Security Extensions:
- HP-UX 11i Security Containment Administrator’s Guide
- HP-UX Standard Mode Security Extensions Release Notes (5991-0791)
The following related documentation is available at http://docs.hp.com:
- HP-UX Security Attributes Configuration Release Notes (5991-1005)
- HP-UX Security Containment Release Notes (5991-1125)
The following manpages have been revised:
- audusr(5) Describes the audusr command which selects users to audit.
- audit(5) Describes the HP-UX auditing system which provides a mechanism to audit users and processes.
- pam_acct_mgmt(3) Describes the pam_acct_mgmt() function which performs Pluggable Authentication Module (PAM) account validation procedures.
- pam.conf(4) Describes the /etc/pam.conf configuration file for PAM modules.
- pam_hpsec(5) Describes the hpsec service module which implements extensions specific to HP-UX for authentication, account management, password management, and session management.
- security(4) Describes the security defaults configuration file /etc/default/security and attributes.
- useradd(1M) Adds a new user login to the system.
- userdel(1M) Deletes a user login from the system.
- usermod(1M) Modifies a user login on the system.
The following new manpages are installed with the HP-UX Standard Mode Security Extension software:
- getauduser(3) Retrieves the accountable user for the current process. Refer also to audit(5).
- setauduser(3) Starts auditing the current process as owned by a given user. Refer also to audit(5).
- userdbck(1M) Verifies or fixes per-user information in the user database. Refer also to userdb(4).
- userdbget(1M) Displays per-user information residing in the user database. Refer also to userdb(4).
- userdbset(1M) Modifies per-user information in the user database. Refer also to userdb(4).
- userdb(4) Describes the user database (/var/adm/userdb) that stores per-user information.
See also the following sections in this HP-UX Release Notes:

Obsolescence

Not applicable.

^[44]These features are also available when using the shadow password file.