What is C2-Level Trusted Mode?

You can configure HP-UX in either the C2-level trusted mode or the untrusted mode. For the purposes of this chapter, the HP-UX trusted system being defined is one which is configured in the C2-level trusted mode.

In the untrusted mode, HP-UX offers the security mechanisms available in the standard UNIX environment. When configured in the trusted mode, HP-UX provides additional security features such as a more stringent password and authentication system, auditing, terminal access control, and time-base access controls.

C2-level trusted HP-UX protects the system and its users against a variety of threats and system compromises. A threat is any event that might cause users at a site to lose the use of computing resources or any of the information stored on them.

The Trusted Computing Base (TCB) is the totality of hardware and software protection mechanisms designed to enforce the system's security policy. It includes all the code that runs with hardware privilege (that is, the operating system or kernel) and all code running in processes that cooperate with the operating system to enforce the security policy.

The TCB oversees and monitors interactions between subjects (active entities such as processes) and objects (passive entities such as files, devices, and interprocess communication mechanisms). The TCB is protected from unauthorized modification and provides mechanisms that support the authentication and accountability requirements of a C-2 level system.

Parts of the TCB

The TCB includes the following:

• A modified HP-UX kernel

• Trusted commands and utilities

• Trusted hardware and firmware

The TCB consists of hardware and software components that enforce the correct operation of the system's security policies while the system is running in secure multiuser mode. This includes both the trusted and untrusted portions of the HP-UX operating system.

Some of the trusted commands and utilities in the TCB can cause the system to leave its secure state (for example, to shutdown or reboot the system). The TCB also includes sam(1M), HP's System Administration Manager. Refer to "System Administration Tasks" later in this chapter for more information on SAM. Security-related commands and system roles are listed in Appendixes B and C.

Excluded from the TCB

The TCB does not include the following:

• Compilers

• Configuration management tools

• System debugging and diagnostic tools

• System generation utilities

• Networking

• X11 or Motif Windows

• Journaled File Systems (JFS or VxFS)

• Other untrusted commands and utilities

Although these tools are trusted to work correctly to configure the system, they play no role in enforcing security policies while the system is in operation.

TCB Interface

Processes (or users interacting with a process at a terminal) request services from the TCB in the following ways:

• A process can execute unprivileged hardware instructions

• A process can execute system calls

• A user or process can interact with non-kernel TCB trusted program and trusted library interfaces

	NOTE: Users can write programs that bypass the system call interface and invoke trap instructions directly. All system security policy decisions are made in kernel code that is accessible only through invocation of the trap instruction. All user actions that involve policy decisions must eventually go through the trap interface. Therefore, system security policy cannot be violated or bypassed.