HPE Community
Operating System - HP-UX
1833726 Members
2695 Online
110063 Solutions
New Discussion

Security

 
Systems Department
Advisor

‎07-17-2001 05:59 AM

‎07-17-2001 05:59 AM

Security

Hi all,

Could someone tell me if there is anything on the ITRC about C2 security for HPUX 11.00? I'm after the major and minor differences between standard security and C2 ie what settings are set in stone and what setting can be changed. I have been informed that it would acctually take a complete re-installation to go to C2 security, but this was probably untrue.
I ask this question as our auditors have advised us that our current password security is inadequate.
0 Kudos
Reply
7 REPLIES 7
Chris Calabrese
Valued Contributor

‎07-17-2001 06:39 AM

‎07-17-2001 06:39 AM

Re: Security

It depends by what you mean by C2.

You can convert your system to 'trusted mode'. This gives you some of the features necessary to meet the C2 spec (at least for non-networked systems), and can be done without a reinstall (you do it through SAM or /usr/lbin/tsconvert). But.. a regular HP-UX system in trusted mode is not actually C2 (not evaluated as such), and some add-on software that handles passwords may have to be recompiled (such as SSH).

The other choice is to use one of HP's trusted OS flavors (10.24 and 11.04), which requires a complete reinstall of the OS.
Brainbench MVP for Unix Administration and Internet Security, SANS Review Editor, and Center for Internet Security HP-UX Benchmark project leader
0 Kudos
Reply
Systems Department
Advisor

‎07-17-2001 07:30 AM

‎07-17-2001 07:30 AM

Re: Security

Thanks for the reply Chris.
I don't think a re-installation would go down very well at all.
Could you point me in the direction of some documentation on the security differences between a standard system and a trusted system.

Many thanks.
0 Kudos
Reply
Paul R. Dittrich
Esteemed Contributor

‎07-17-2001 08:55 AM

‎07-17-2001 08:55 AM

Re: Security

What is meant by C2 comes from DoD documents.

Try this URL: http://all.net/books/orange/

Keep in mind that the "Orange Book" refers ONLY to standalone systems. Networked systems are supposed to conform to Red Book standards.
0 Kudos
Reply
Chris Calabrese
Valued Contributor

‎07-17-2001 09:43 AM

‎07-17-2001 09:43 AM

Re: Security

Re. documents on 'trusted mode' - there's definitely a shortage of these. The only thing I could find is http://www.hp.com/products1/unix/operating/hpux11i/infolibrary/hpuxsecurity.pdf, though you might also check out the man pages for prpwd(4), authcap(4), and default(4).

Re. Orange Book vs. Red Book - if I remember correctly, the Red Book interprets the Orange Book for networked environments. So the Orange Book does address networked environemnt, in theory. But meanwhile niether of these are DoD standards any longer. First they were merged into the TCSEC (see http://www.radium.ncsc.mil/tpep/library/rainbow/).
Later they were superceded by the Common Criteria and the specific CC Protection Profiles (see http://www.radium.ncsc.mil/tpep/library/protection_profiles/index.html)

The Common Criteria Controled Access Protection Profile is roughly equivelant to the old C2 designation.
Brainbench MVP for Unix Administration and Internet Security, SANS Review Editor, and Center for Internet Security HP-UX Benchmark project leader
0 Kudos
Reply
W.C. Epperson
Trusted Contributor

‎07-18-2001 07:01 AM

‎07-18-2001 07:01 AM

Re: Security

For information about configuring HP-UX as "Trusted System":
http://docs.hp.com/hpux/onlinedocs/B2355-90121/B2355-90121.html
http://docs.hp.com/hpux/onlinedocs/B2355-90121/B2355-90121.html

These apply to HP-UX 10.xx. I'm not aware of 11.x equivalents.

Note that the C2 security level is characterized by Discretionary Access Control, and is pretty well deprecated in today's software environment. C2 relies on the presumptions that your authorized "superusers" are absolutely reliable (security clearances, etc.), and that there can be no unauthorized "superuser" access. Because of the common code flaws leading to unauthorized "superuser" access (particularly on Internet-exposed systems), it's generally considered that a compartmentalized Mandatory Access Control environment is required for truly secure applications. This corresponds to the DoD "B2" level above C2. HP's Virtual Vault is a commercial implementation. It works well, but is expensive to buy and support, compared to HP-UX. See:
http://www.docs.hp.com/hpux/pdf/B5413-90027.pdf
and other documents linked from:
http://www.docs.hp.com/hpux/internet/
"I have great faith in fools; self-confidence, my friends call it." --Poe
0 Kudos
Reply
Systems Department
Advisor

‎07-19-2001 02:07 AM

‎07-19-2001 02:07 AM

Re: Security

Thank you all fro your replies.
I have one final question to ask. Now that I have set my system to a trusted system, I know I can set a maximum password length but is there any way of setting a minimum password length?
I ask this question as I have been told to set a minimum password length of 8 characters and the minimum password length currently is 6 characters.
0 Kudos
Reply
Systems Department
Advisor

‎07-19-2001 02:25 AM

‎07-19-2001 02:25 AM

Re: Security

Its okay, I've just spoted the post from Ray Bell regarding "passowrd length".

Many thanks for all your help.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.