topic Re: Security in Operating System - HP-UX

Security

Systems Department — Tue, 17 Jul 2001 12:59:00 GMT

Hi all,

Could someone tell me if there is anything on the ITRC about C2 security for HPUX 11.00? I'm after the major and minor differences between standard security and C2 ie what settings are set in stone and what setting can be changed. I have been informed that it would acctually take a complete re-installation to go to C2 security, but this was probably untrue.
I ask this question as our auditors have advised us that our current password security is inadequate.

Re: Security

Chris Calabrese — Tue, 17 Jul 2001 13:39:32 GMT

It depends by what you mean by C2.

You can convert your system to 'trusted mode'. This gives you some of the features necessary to meet the C2 spec (at least for non-networked systems), and can be done without a reinstall (you do it through SAM or /usr/lbin/tsconvert). But.. a regular HP-UX system in trusted mode is not actually C2 (not evaluated as such), and some add-on software that handles passwords may have to be recompiled (such as SSH).

The other choice is to use one of HP's trusted OS flavors (10.24 and 11.04), which requires a complete reinstall of the OS.

Re: Security

Systems Department — Tue, 17 Jul 2001 14:30:57 GMT

Thanks for the reply Chris.
I don't think a re-installation would go down very well at all.
Could you point me in the direction of some documentation on the security differences between a standard system and a trusted system.

Many thanks.

Re: Security

Paul R. Dittrich — Tue, 17 Jul 2001 15:55:51 GMT

What is meant by C2 comes from DoD documents.

Try this URL: http://all.net/books/orange/

Keep in mind that the "Orange Book" refers ONLY to standalone systems. Networked systems are supposed to conform to Red Book standards.

Re: Security

Chris Calabrese — Tue, 17 Jul 2001 16:43:20 GMT

Re. documents on 'trusted mode' - there's definitely a shortage of these. The only thing I could find is http://www.hp.com/products1/unix/operating/hpux11i/infolibrary/hpuxsecurity.pdf, though you might also check out the man pages for prpwd(4), authcap(4), and default(4).

Re. Orange Book vs. Red Book - if I remember correctly, the Red Book interprets the Orange Book for networked environments. So the Orange Book does address networked environemnt, in theory. But meanwhile niether of these are DoD standards any longer. First they were merged into the TCSEC (see http://www.radium.ncsc.mil/tpep/library/rainbow/).
Later they were superceded by the Common Criteria and the specific CC Protection Profiles (see http://www.radium.ncsc.mil/tpep/library/protection_profiles/index.html)

The Common Criteria Controled Access Protection Profile is roughly equivelant to the old C2 designation.

Re: Security

W.C. Epperson — Wed, 18 Jul 2001 14:01:44 GMT

For information about configuring HP-UX as "Trusted System":
http://docs.hp.com/hpux/onlinedocs/B2355-90121/B2355-90121.html
http://docs.hp.com/hpux/onlinedocs/B2355-90121/B2355-90121.html

These apply to HP-UX 10.xx. I'm not aware of 11.x equivalents.

Note that the C2 security level is characterized by Discretionary Access Control, and is pretty well deprecated in today's software environment. C2 relies on the presumptions that your authorized "superusers" are absolutely reliable (security clearances, etc.), and that there can be no unauthorized "superuser" access. Because of the common code flaws leading to unauthorized "superuser" access (particularly on Internet-exposed systems), it's generally considered that a compartmentalized Mandatory Access Control environment is required for truly secure applications. This corresponds to the DoD "B2" level above C2. HP's Virtual Vault is a commercial implementation. It works well, but is expensive to buy and support, compared to HP-UX. See:
http://www.docs.hp.com/hpux/pdf/B5413-90027.pdf
and other documents linked from:
http://www.docs.hp.com/hpux/internet/

Re: Security

Systems Department — Thu, 19 Jul 2001 09:07:13 GMT

Thank you all fro your replies.
I have one final question to ask. Now that I have set my system to a trusted system, I know I can set a maximum password length but is there any way of setting a minimum password length?
I ask this question as I have been told to set a minimum password length of 8 characters and the minimum password length currently is 6 characters.

Re: Security

Systems Department — Thu, 19 Jul 2001 09:25:02 GMT

Its okay, I've just spoted the post from Ray Bell regarding "passowrd length".

Many thanks for all your help.