Password protection under HP-UX 10.X

• Setting up a trusted system
• Auditing
• The protected password database
• Additional security features

Setting up a trusted system

Under HP-UX 9.X, shadow passwords are implemented with /etc/shadow. With the introduction of HP-UX 10.X, this has changed. The basic system setup no longer includes the use of shadowed passwords. In order to implement more stringent password protection, the system must be converted to a "trusted (secure) system". Converting the system involves running SAM, clicking on "Auditing and Security" and entering y to begin the conversion process.

The conversion program goes through the system makes the following changes:

• A protected password database is created in /tcb/files/auth/.
• Encrypted passwords are moved from /etc/passwd into the database in /tcb/files/auth/ and replaced with and asterisk.
• All users on the system are required to use passwords.
• An audit ID number is created for each user.
• The audit flag is set for all existing users.
• at, batch and crontab files are converted to use the audit ID of whoever submits them.

After the conversion program is finished use swlist -l to verify that SecurityMon, the fileset where audit files are kept, has been in installed. In addition check for /etc/rc.config.d/auditing and /sbin/rc2.d/S760auditing. /etc/rc.config.d/auditing contains the parameters which control auditing. This file may be modified manually or with SAM. /sbin/rc2.d/S760auditing is the script which starts auditing.

Auditing

Once the system has been converted to a trusted system, users will receive a last successful/unsuccessful login message when they log in.

Auditing task can be performed with SAM or from the command line with the following commands:

• audsys
• audusr
• audevent
• audomon
• audisp

The system defaults to the following auditing parameters:

• Auditing for all existing user and new users is automatically turned on.
• The following event types are selected for auditing:
  • admin which logs all administrative and privileged events.
  • login which logs all logins and logouts.
  • moddac which logs all modifications of object's discretionary access controls.
• The following log and audit parameters are set:
  • The primary log file path name is /.secure/etc/audfile1.
  • The primary log file switch size is 5,000KB.
  • The auxiliary log file path name is /.secure/etc/audfile2.
  • The auxiliary log file switch size is 1,000KB.
  • The minimum allowable free space is 20% of the filesystem.
  • Warning messages are sent when the log reaches 90% of capacity.

The protected password database

After a system is converted to a trusted system, the protected password database files in /tcb/files/auth/ function in much the same manner as the /etc/shadow file. An authentication file for each user is created in the directory that corresponds the first letter of the username. The encrypted password for each user is stored in their authentication file. The protected password database is accessible only to root. Account aging information is also stored there. For a more detailed description of this database, consult the prpwd man page.

Additional security features

On a trusted system the system administrator can control how passwords are generated. Password generation options may be set for the entire system and for individual users. The options set on individual user accounts override the system defaults. Options include:

• Allowing users to create their own passwords. A screening option is available which will check the password against the dictionary and check for the use of usernames, variations on usernames, repeated characters and palindromes.
• Allow passwords generated by the system that use letters only.
• Allow passwords generated by the system that combine letters, numbers, and punctuation characters.
• Allow passwords generated by the system which are pronounceable, English based phrases.

The system administrator can also specify the times-of-day and days-of-the-week when each user is permitted to log in. A device-based access control is also offered. This allows the system administrator to specify an access list for each mux and dedicated DTC port. This access information is stored in /tcb/files/auth/devassign, the device assignment database.

On a trusted system a terminal control database, /tcb/files/ttys, is also created which stores the following information for each terminal:

• Device name.
• UID of the last user to successfully log into the terminal.
• The time of both the last successful and unsuccessful login to the terminal.
• The number of consecutive unsuccessful login attempts before the terminal is locked.