Planning System Security

The key to running a secure trusted system is planning and developing a security policy. This section provides some general guidelines on HP-UX system security.

However, realize that establishing and implementing a security policy is an extensive and complicated process. Complete coverage of system security is beyond the scope of this document. You should consult computer security trade books and adopt security measures that suit your business needs. One useful book to refer for additional information is Practical UNIX Security (Second Edition) by S. Garfinkel and G. Spafford. This book is available from your local computer bookstore or by ordering ISBN 1-56592-148-8 from O'Reilly & Associates, Inc. at 1-800-998-9938 or via email at ORDER@ORA.COM.

This book is required for administration of your trusted system.

System Security Policy

The system enforces a security policy which is a combination of mode permission bits and access control lists. The policy can be stated, in real world terms, as follows:

A person may read a document if: (1) the person owns the document, (2) if the document's owner allows him or her to, (3) if the person is a member of a group which owns the document and group read permission is set, or (4) if read permission of the document is universally granted.
A person may alter or modify a document if: (1) the person owns the document, (2) if the document's owner allows him or her to, (3) if the person is a member of a group that owns the document and group write permission is set, or (4) if write permission of the document is universally granted.
A person may execute a document if: (1) the person owns the document, (2) if the document's owner allows him or her to, (3) if the person is a member of a group that owns the document and group execute permission is set, or (4) if execute permission of the document is universally granted.

Developing a Security Policy

Before you convert your system to a trusted system, your security policy should consider the following aspects of a computer system:

Protecting information from unauthorized access
Protecting information from being deleted or altered
Keeping the system and the information on it available
Keeping the system running consistently
Preventing unauthorized access to the system
Auditing or tracking system activity

Establishing your security policy should be a joint effort between the technical staff and senior management. Your security policy should conform to your organization's laws and regulations.

Approaching System Security

Following are steps to perform as a general approach to system security:

Identify what you need to protect. These are your assets such as employees, system hardware, data (onsite and offsite), and documentation.
Identify potential threats to your assets. These include threats from nature (floods, earthquakes), ignorance and lack of training, and intentional security breaches.
Implement measures that will protect your assets in a cost effective manner.

Securing System Users

Maintaining system security involves securing system users as follows:

Identification of Users. All users must have a unique login identity (ID) consisting of an account name and password.
Authentication of Users. When a user logs in, the system authenticates the password by checking for its existence in the password database.
Authorization of Users. At a system level, HP-UX provides two kinds of authorized computer use--regular and superuser. Individual users also may be granted or restricted access to system files through traditional file permissions, access control lists, and Restricted SAM.

Planning System Security

Technical documentation

» Table of Contents

» Index

System Security Policy

Developing a Security Policy

Approaching System Security

Securing System Users