Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP 9000 Computer Systems : Administering Your HP-UX Trusted System > Chapter 3 Practices that Enforce the Trustworthiness of the System

Safe Administrative Practices
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

System administrators of trusted HP-UX systems are responsible for performing standard HP-UX administrative tasks. The standard HP-UX tasks are described in detail in HP-UX System Administration Tasks

(B2355-90079). Chapter 12 of that manual, "Managing System Security" describes many of the tasks that need to be performed on a trusted system.

System administrators on trusted systems are responsible for performing the following security functions:

  • Setting up the trusted system

  • Setting up security databases

  • Maintaining additional security parameters of users' authentication profiles

  • Monitoring the security and integrity of the system

  • Auditing security-related events and maintain the system's audit functions

  • Perform miscellaneous administrative tasks associated with HP-UX C-level protected subsystems

In addition, on a trusted system, the system administrator is responsible for maintaining the Trusted Computing Base. For details about maintaining Unix systems and protecting against system threats, refer to Practical UNIX Security by S. Garfinkel and G. Spafford.

Common Security Practices

Part of running a secure system involves educating your system users and enforcing standard security practices such as the following:

  • Restrict login access to software to those with legitimate need.

  • Have users log off or use the lock command when not using their terminals.

  • Decentralize computer duties by rotating computer operators.

  • Store backup media at bonded, offsite depositories.

  • Erase obsolete data and securely disposing of console logs and printout.

User Passwords

One of the main ways you can keep your trusted system secure is to teach users good password security. When you set up accounts for new users, you should discuss guidelines such as the following with them:

  • Users must remember their passwords and keep them secret at all times

  • Users must be sure no one is watching when entering the password

  • Users should change their initial password immediately and change their passwords periodically

  • Users should report any changes in status and any suspected security violations

  • Users with accounts on more than one system should choose a different password for each machine

You should also set your system up so that users must use secure passwords. For example, passwords should have the following characteristics:

  • Six or more characters including asterisks and slashes

  • Contain both alphabetic and numeric characters

  • Contain both upper- and lowercase characters

  • Be easy to remember

  • Do not use a password that is easily associated with you, such as a pet name or a hobby

  • Do not use a password found in a dictionary, even if it is spelled backwards. Software programs exist that can find and match it.

Account Security

  • Use the password aging feature to deactivate an account that is not being used, to set an expiration time for a password, and specify the lifetime of a password.

  • Rather than removing or reassigning old accounts, you should use the administrative lock feature of SAM. Accounts should not be removed because it would then be possible for a given user ID to be reused later by another account. You must only have one user ID per user.

  • Do not permit any empty password fields.

  • Maintain proper permissions on the /etc/passwd password file or the /tcb/files/auth/user_initial/username protected password file.

  • Maintain proper permissions on the /etc/passwd password file and the /tcb/files/auth/user_initial/username protected password file.

  • A user with an empty password is forced to set a password upon login on a trusted system. However, this leaves a potential security breach, because any user can set the password for that account before a password is set for the first time.

    You should discuss the new account with the user confidentially. Then, take the time to follow up and be assured that the correct person validates the account by logging on and changing the password right away.

  • Refer to the section "Eliminating Pseudo-Accounts and Protecting Key Subsystems" in Chapter 12 of HP-UX System Administration Tasks for information relevant to keeping accounts listed in /etc/passwd secure.

Managing File and Directory Access

Along with traditional HP-UX file access protection, files and directories can be protected from unauthorized access by using Access Control Lists (ACLs). An ACL is a set of entries that allows users to specify different access rights to many individuals and groups instead of one of each. ACL entries define which users, groups and/or hosts have permission to access software objects (such as files and directories).

By understanding the full use of ACLs, you can help system users to protect information to a great degree. Refer to "Managing Access to Files and Directories" in Chapter 12 of HP-UX System Administration Tasks for information on ACLs including a subsection on "Security Considerations for Device Files."



Background on Security Practices
  		 


Guidelines for Administering Auditing  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© Hewlett-Packard Development Company, L.P.