How it Works
HP
Loading...
H
Loading...
Loading...
HP-UX 11i
User Manual
52 pgs1.63 Mb0
Installation Manual
20 pgs267.14 Kb0
Administrator's Guide
84 pgs1.78 Mb1
User Manual
54 pgs395.5 Kb0
Installation Guide
28 pgs509.7 Kb0
Setup and Install
74 pgs171 Kb0
Troubleshooting
94 pgs148.27 Kb0
Reference Guide
298 pgs3.51 Mb0
User Manual
54 pgs241.86 Kb0
Reference Guide
328 pgs1.28 Mb0
Getting Started Guide
16 pgs260.36 Kb0
Security Solutions
12 pgs106.14 Kb0
User's Guide
9 pgs368.12 Kb0
White Paper
10 pgs103.18 Kb0
Setup and Install
8 pgs149.01 Kb0
User Manual
19 pgs247.6 Kb0
Quick Reference Guide
33 pgs237.36 Kb0
User Manual
278 pgs714.51 Kb0
Administrator's Guide
236 pgs10.11 Mb0
Administrator's Guide
22 pgs5.05 Mb0
White Paper
12 pgs123.15 Kb0
User's Guide
175 pgs250.4 Kb0
User Manual
38 pgs1.15 Mb0
Quick Reference Guide
4 pgs113.26 Kb0
User Manual
187 pgs659.37 Kb0
Getting Started Guide
54 pgs862.3 Kb0
User Manual
72 pgs936.02 Kb0
User's Guide
9 pgs242.33 Kb0
White Paper
62 pgs1.08 Mb0
Table of contents
Loading...

HP HP-UX 11i Administrator's Guide

HP-UX 11i Security Containment Administrator's Guide

Version B.11.23.02
HP Part Number: 5991-8678 Published: E0606 Edition: HP-UX 11i v2
© Copyright 2007 Hewlett-Packard Development Company, L.P
Legal Notices
Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness
for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential
damages in connection with the furnishing, performance, or use of this material.
Warranty A copy of the specific warranty terms applicable to your Hewlett-Packard product and replacement parts can be obtained from
your local Sales and Service Office.
U.S. Government License Proprietary computer software. Valid license from HP required for possession, use or copying. Consistent with FAR
12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed
to the U.S. Government under vendor's standard commercial license.
Trademark Notices UNIX® is a registered trademark in the United States and other countries, licensed exclusively through The Open Group.

Table of Contents

About This Document.......................................................................................................13
Intended Audience................................................................................................................................13
New and Changed Information in This Edition...................................................................................13
Publishing History................................................................................................................................13
Document Organization.......................................................................................................................13
Typographic Conventions...............................................................................................................14
HP-UX Release Name and Release Identifier..................................................................................14
Related Information..............................................................................................................................15
HP Encourages Your Comments..........................................................................................................15
1 HP-UX 11i Security Containment Introduction............................................................17
Conceptual Overview...........................................................................................................................17
Authorization..................................................................................................................................17
Account Policy Management...........................................................................................................17
Privileges.........................................................................................................................................17
Isolation...........................................................................................................................................18
Auditing...........................................................................................................................................18
Defined Terms.......................................................................................................................................18
Features and Benefits............................................................................................................................18
Features............................................................................................................................................19
Benefits............................................................................................................................................20
2 Installation.....................................................................................................................21
Prerequisites and System Requirements..............................................................................................21
Hardware.........................................................................................................................................21
Software...........................................................................................................................................21
Disk Space........................................................................................................................................21
Installing HP-UX 11i Security Containment.........................................................................................21
Verifying the HP-UX 11i Security Containment Installation................................................................22
Installing HP-UX Role-Based Access Control......................................................................................23
Verifying the HP-UX Role-Based Access Control Installation.............................................................23
Installing HP-UX Standard Mode Security Extensions........................................................................23
Verifying the HP-UX Standard Mode Security Extensions Installation...............................................24
Uninstalling HP-UX 11i Security Containment....................................................................................24
Uninstalling HP-UX RBAC...................................................................................................................24
Uninstalling HP-UX Standard Mode Security Extensions...................................................................25
3 HP-UX Role-Based Access Control..............................................................................27
Overview...............................................................................................................................................27
HP-UX RBAC Versus Other RBAC Solutions.................................................................................27
Access Control Basics............................................................................................................................28
Simplifying Access Control with Roles...........................................................................................28
HP-UX RBAC Components..................................................................................................................29
HP-UX RBAC Access Control Policy Switch...................................................................................30
HP-UX RBAC Configuration Files..................................................................................................30
HP-UX RBAC Commands...............................................................................................................30
HP-UX RBAC Manpages.................................................................................................................31
HP-UX RBAC Architecture.............................................................................................................31
Table of Contents 3
HP-UX RBAC Example Usage and Operation................................................................................32
Planning the HP-UX RBAC Deployment.............................................................................................33
Step 1: Planning the Roles...............................................................................................................33
Step 2: Planning Authorizations for the Roles................................................................................33
Step 3: Planning Command Mappings............................................................................................34
HP-UX RBAC Limitations and Restrictions....................................................................................34
Configuring HP-UX RBAC...................................................................................................................35
Step 1: Configuring Roles................................................................................................................36
Creating Roles............................................................................................................................36
Assigning Roles to Users............................................................................................................37
Assigning Roles to Groups.........................................................................................................37
Step 2: Configuring Authorizations................................................................................................37
Step 3: Configuring Additional Command Authorizations and Privileges....................................38
Hierarchical Roles............................................................................................................................40
Overview....................................................................................................................................40
Examples of Hierarchical Roles............................................................................................40
Changes to the authadm Command for Hierarchical Roles.................................................41
Hierarchical Roles Considerations........................................................................................41
Configuring HP-UX RBAC with Fine-Grained Privileges..............................................................42
Configuring HP-UX RBAC with Compartments............................................................................43
Configuring HP-UX RBAC to Generate Audit Trails......................................................................44
Auditing Based on HP-UX RBAC Criteria and the /etc/aud_filter File.....................................45
Procedure for Auditing HP-UX RBAC Criteria.........................................................................45
Using HP-UX RBAC.............................................................................................................................46
Using the privrun Command to Run Applications with Privileges...............................................46
HP-UX RBAC in Serviceguard Clusters.....................................................................................48
Using the Privilege Shells (privsh, privksh, privcsh) to Automatically Run Commands with
Privilege...........................................................................................................................................48
Using the privedit Command to Edit Files Under Access Control.................................................48
Customizing privrun and privedit Using the ACPS.......................................................................49
Troubleshooting HP-UX RBAC............................................................................................................50
The rbacdbchk Database Syntax Tool..............................................................................................50
privrun -v Information....................................................................................................................50
4 Fine-Grained Privileges................................................................................................51
Overview...............................................................................................................................................51
Fine-Grained Privileges Components...................................................................................................51
Commands.......................................................................................................................................51
Manpages.........................................................................................................................................52
Available Privileges...............................................................................................................................52
Configuring Applications with Fine-Grained Privileges.....................................................................53
Privilege Model...............................................................................................................................54
Compound Privileges......................................................................................................................54
Security Implications of Fine-Grained Privileges.................................................................................55
Privilege Escalation.........................................................................................................................55
Fine-Grained Privileges in HP Serviceguard Clusters.........................................................................55
Troubleshooting Fine-Grained Privileges.............................................................................................55
5 Compartments..............................................................................................................57
Overview...............................................................................................................................................57
Compartment Architecture.............................................................................................................57
Default Compartment Configuration..............................................................................................59
Planning the Compartment Structure..................................................................................................59
4 Table of Contents
Activating Compartments....................................................................................................................60
Modifying Compartment Configuration..............................................................................................60
Changing Compartment Rules........................................................................................................61
Changing Compartment Names.....................................................................................................61
Compartment Components..................................................................................................................61
Compartment Configuration Files..................................................................................................61
Compartment Commands...............................................................................................................62
Compartment Manpages.................................................................................................................62
Compartment Rules and Syntax...........................................................................................................63
Compartment Definition.................................................................................................................63
File System Rules.............................................................................................................................63
IPC Rules.........................................................................................................................................64
Network Rules.................................................................................................................................65
Miscellaneous Rules........................................................................................................................67
Example Rules File..........................................................................................................................68
Configuring Applications in Compartments........................................................................................68
Troubleshooting Compartments...........................................................................................................68
Compartments in HP Serviceguard Clusters.......................................................................................70
6 Standard Mode Security Extensions..........................................................................71
Overview...............................................................................................................................................71
Security Attributes and the User Database...........................................................................................72
System Security Attributes..............................................................................................................72
Configuring Systemwide Attributes...............................................................................................72
User Database Components............................................................................................................72
Configuration Files.....................................................................................................................72
Commands.................................................................................................................................73
Attributes....................................................................................................................................73
Manpages...................................................................................................................................73
Configuring Attributes in the User Database..................................................................................74
Troubleshooting the User Database................................................................................................74
Auditing................................................................................................................................................74
Auditing Components.....................................................................................................................74
Commands.................................................................................................................................75
Manpages...................................................................................................................................75
Auditing Your System.....................................................................................................................75
Step 1: Planning Your Auditing Implementation......................................................................75
Step 2: Enabling Auditing..........................................................................................................75
Step 3: Monitoring Audit Files...................................................................................................76
Performance Considerations......................................................................................................77
Guidelines for Administering Your Auditing System...............................................................77
Auditing Users.................................................................................................................................77
Auditing Events...............................................................................................................................78
Streamlining Audit Log Data..........................................................................................................78
Audit Log Files................................................................................................................................79
Configuring Audit Log Files......................................................................................................80
Viewing Audit Logs.........................................................................................................................80
Examples of Using the audisp Command.................................................................................81
Index.................................................................................................................................83
Table of Contents 5
6
List of Figures
3-1 HP-UX RBAC Architecture...........................................................................................................32
3-2 Example Operation After Invoking privrun.................................................................................32
5-1 Compartment Architecture...........................................................................................................58
7
8
List of Tables
1 Publishing History Details.................................................................................................................13
2 HP-UX 11i Releases............................................................................................................................15
3-1 Example of Authorizations Per User.............................................................................................28
3-2 Example of Authorizations Per Role.............................................................................................29
3-3 HP-UX RBAC Configuration Files................................................................................................30
3-4 HP-UX RBAC Commands.............................................................................................................31
3-5 HP-UX RBAC Manpages...............................................................................................................31
3-6 Example Planning Results.............................................................................................................36
3-7 Example Roles Configuration in HP-UX RBAC B.11.23.02...........................................................40
3-8 Example Roles Configuration Using Hierarchical Roles in HP-UX RBAC B.11.23.03..................41
4-1 Fine-Grained Privileges Commands.............................................................................................51
4-2 Fine-Grained Privileges Manpages...............................................................................................52
4-3 Available Privileges.......................................................................................................................52
5-1 Compartment Configuration Files................................................................................................62
5-2 Compartment Commands.............................................................................................................62
5-3 Compartment Manpages...............................................................................................................62
6-1 User Database Configuration Files................................................................................................73
6-2 User Database Commands............................................................................................................73
6-3 User Attributes..............................................................................................................................73
6-4 User Database Manpages..............................................................................................................74
6-5 Audit Commands..........................................................................................................................75
6-6 Audit Manpages............................................................................................................................75
6-7 audevent command options..........................................................................................................78
9
10
List of Examples
3-1 The authadm Command Syntax..........................................................................................................41
3-2 Example of the authadm Command Usage.........................................................................................41
11
12

About This Document

This document describes how to install, configure, and troubleshoot HP-UX 11i Security Containment on HP-UX 11i Version 2.

Intended Audience

This document is intended for system administrators responsible for installing, configuring, and managing HP-UX 11i Security Containment. Administrators are expected to have knowledge of HP-UX 11i v2 operating system concepts, commands, and configuration.
It is helpful to have knowledge of UNIX security concepts, commands, and protocols. Knowledge of HP-UX trusted mode systems is helpful, but not necessary.
This document is not a tutorial.

New and Changed Information in This Edition

HP-UX 11i Security Containment B.11.23.02 offers support for HP-UX Role-Based Access Control B.11.23.04 and HP-UX Standard Mode Security Extensions B.11.23.02.

Publishing History

The document printing date and part number indicate the document's current edition. The printing date will change when a new edition is printed. Table 1 “Publishing History Details” gives a history of printing dates for this document. Minor changes may be made at reprint without changing the printing date. The document part number will change when extensive changes are made.
Document updatesmay be issuedbetween editions to correct errors or document product changes. To ensure that you receive the updated or new editions, you should subscribe to the appropriate product support service. Consult your HP sales representative for details.
The latest version of this document can be found online at http://www.docs.hp.com.
Table 1 Publishing History Details
Document Manufacturing Part Number
Supported
HP–UX 11i Version 25991-8678
HP–UX 11i Version 25991-1821

Document Organization

The HP-UX 11i Security Containment Administrator's Guide contains the following information about installing or configuring HP-UX 11i Security Containment:
Publication DateSupported Product VersionsOperating Systems
March 2007• HP-UX 11i Security Containment
version B.11.23.02
• HP-UX RBAC version B.11.23.01 and higher
• HP-UX SMSE version B.11.23.01 and higher
May 2005• HP-UX 11i Security Containment
version B.11.23.01
• HP-UX RBAC version B.11.23.01 and higher
• HP-UX SMSE version B.11.23.01 and higher
Intended Audience 13
Chapter 1 "Chapter 1 “HP-UX 11i Security Containment Introduction”." Use this chapter
to learn about the security containment features and how those features work together to secure your HP-UX 11i v2 system.
Chapter 2 "Chapter 2 “Installation”." Use this chapter to plan and execute the installation
of the full HP-UX 11i Security Containment product or individual security containment components.
Chapter 3 "Chapter 3 “HP-UX Role-Based Access Control”." Use this chapter to learn how
to configure and administer HP-UX RBAC.
Chapter 4 "Chapter 4 “Fine-Grained Privileges”." Use this chapter to learn how to administer
fine-grained privileges.
Chapter 5 "Chapter 5 “Compartments”." Use this chapter to learn how to configure and
administer compartments.
Chapter 6 "Chapter 6 “Standard Mode Security Extensions”." Use this chapter to learn how
to configure and administer the user database, per-user security attributes, and system auditing.

Typographic Conventions

This document uses the following conventions:
audit(5) An HP-UX manpage. In this example, audit is the name and 5 is the section in
the HP-UX Reference. On the Web and on the Instant Information CD, it may be a hot link to the manpage itself. From the HP-UX command line, you can enter “man audit”or “man 5 audit” to view the manpage. Refer to man(1).
Book Title The title of a book. On the Web and on the Instant Information CD, it may be
a hot link to the book itself.
KeyCap The name of a keyboard key. Return and Enter both refer to the same key. Emphasis Text that is emphasized.
Bold Text that is strongly emphasized. Bold The defined use of an important word or phrase.
ComputerOut
UserInput
Command
Variable
[ ] The contents are optional in formats and command descriptions.If the contents
{ } The contentsare required in formats and command descriptions. If the contents
... The preceding element may be repeated an arbitrary number of times. | Separates items in a list of choices.
Text displayed by the computer. Commands and other text that you type. A command name or qualified command phrase. The name of a variable that you may replace in a command or function or
information in a display that represents several possible values.
are a list separated by |, you must choose one of the items.
are a list separated by |, you must choose one of the items.

HP-UX Release Name and Release Identifier

Each HP-UX 11i release has an associated release name and release identifier. Theuname(1) command with the -r option returns the release identifier. Table 2 “HP-UX 11i Releases” lists the releases available for HP-UX 11i.
14 About This Document
Table 2 HP-UX 11i Releases
Identifier
Supported Processor ArchitectureRelease NameRelease
PA-RISC architectureHP-UX 11i v1B.11.11
HP-UX 11i v1.5B.11.20
HP-UX 11i v1.6B.11.22
HP-UX 11i v2B.11.23
HP-UX 11i v2 September 2004 and laterB.11.23

Related Information

You can find additional information about HP-UX 11i Security Containment at
http://www.docs.hp.com, in the internet and security solutions collection under HP-UX 11i
Security Containment.
Other documents in this collection include:
HP-UX 11i Security Containment Release Notes
HP-UX Standard Mode Security Enhancements Release Notes
HP-UX Role-Based Access Control Release Notes

HP Encourages Your Comments

HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs.
Please send comments to netinfo_feedback@cup.hp.com.
Please include document title; manufacturing part number; and any comment, error found, or suggestion for improvement you have concerning this document. Also, please include what we did right so we can incorporate it into other documents.
Intel® Itanium® architecture
Intel® Itanium® architecture
Intel® Itanium® architecture
PA-RISC and Intel® Itanium® architecture
Related Information 15
16

1 HP-UX 11i Security Containment Introduction

This chaptercontains overview information about the featuresof HP-UX 11iSecurity Containment. It addresses the following topics:
“Conceptual Overview”
“Defined Terms”
“Features and Benefits”

Conceptual Overview

HP-UX 11i Security Containment uses three core technologies: compartments, fine-grained privileges, and role-based access control. Together, these three components provide a highly secure operating environment without requiring existing applications to be modified. In addition, HP-UX 11i Security Containment makes several newly enhanced trusted mode security features available on standard mode HP-UX systems. These features are called HP-UX Standard Mode Security Extensions (HP-UX SMSE).
With HP-UX 11i Security Containment, the HP-UX 11i v2 operating system provides a highly secure, easy-to-maintain, and backwards-compatible environment for business applications. HP-UX 11i Security Containment implements several important security concepts. The following sections describe these concepts as implemented by security containment:
“Authorization”
“Account Policy Management”
“Privileges”
“Isolation”
“Auditing”

Authorization

Authorization is the concept of limiting the actions a user is allowed to perform on a system, often based on the user's business needs. A traditional UNIX system offers only two levels of authorization:
regular user Limited access to system resources superuser Unlimited access to system resources
HP-UX Role-BasedAccess Control (HP-UX RBAC) creates many different levels of authorization, based on roles. You can configure roles based on business need, for a user or group of users to perform specific actions on the system. Then you assign users to the roles you configured.

Account Policy Management

Account policy management is the concept of maintaining user and system security attributes used for authorization. Some user and system attributes include the time of day a user is allowed to log on, how long a user can remain inactive before being automatically logged out, and how long a user's password remains valid.
Account policy management is implemented using HP-UX Standard Mode Security Extensions features of HP-UX 11i Security Containment.

Privileges

Privileges are similar to authorization, except that instead of limiting the actions a user can perform on a system, privileges limit the actions a program can perform on a system. On a traditional UNIX system, a program can run as though owned by the invoking user or by the file owner (for example, a setuid program). Access to certain system resources require the
Conceptual Overview 17

Isolation

Auditing

program to be set to the superuser using the setuid command. This allows the program great latitude in reading and modifying system resources.
Privileges break up the latitude of the superuser into many different levels. The fine-grained privileges feature of HP-UX 11i Security Containment implements the concept of privileges.
Compartments are a method of isolating components of a system from one another. Conceptually, processes belong to a compartment, and resourcesare associated with an access list that specifies how processes in different compartments can access them. That is, processes can access resources or communicate with processes belonging to a different compartment only if a rule exists between those compartments. Processes that belong to the same compartment can communicate with each other and access resources in that compartment without a rule.When configured properly, they can be an effective method to safeguard your HP-UX system and the data that resides on it.
Auditing is the concept of tracking significant events on a system. You can record and analyze security events tohelp detect attempted security breaches and tounderstand successful breaches so that you can prevent them in the future.
Prior to the release of HP-UX 11i Security containment, auditing was available only on trusted mode HP-UX systems. With HP-UX 11i Security Containment, you can use enhanced auditing on standardmode HP-UX 11i v2 systems. You can configure HP-UX RBAC to audit access control request to the audit system.

Defined Terms

The following terms are used throughout this manual.
HP-UX RBAC
HP-UX Role-Based Access Control. Refer to Chapter 3 “HP-UX Role-Based Access Control” for information about HP-UX RBAC.
HP-UX SMSE
HP-UX Standard Mode Security Extensions. This set of features includes the user database and standard mode auditing.
NOTE: When you run swlist, the HP-UX SMSE product name appears as TrustedMigration.
Refer to Chapter 6 “Standard Mode Security Extensions” for information about HP-UX SMSE.
Trusted Mode
Trusted Mode is a legacy method of securing the HP-UX operating system. Refer to Managing Systems and Workgroups: A Guide for HP-UX Systems Administrators for HP-UX 11i v 2 for
information about trusted mode.
Legacy applications
In this document, a legacy application is an application created without awareness of fine-grained privileges or compartments. All applications released before HP-UX 11i Security Containment are legacy applications.

Features and Benefits

HP-UX 11i Security Containment Version B.11.23.02 contains a number of features to help you secure your HP-UX standard mode system.
18 HP-UX 11i Security Containment Introduction

Features

HP-UX 11i Security Containment Version B.11.23.02 includes the following components:
Compartments
Compartments isolate unrelated resources on a system, to prevent catastrophic damage to the system if one compartment is penetrated.
When configured in a compartment, an application has restricted access to resources (processes, binaries, data files, and communication channels used) outside its compartment. This restriction is enforced by the HP-UX kernel and cannot be overridden unless specifically configured to do so. If the application is compromised, it will not be able to damage other parts of the system because it is isolated by the compartment configuration.
Fine-Grained Privileges
Traditional UNIX operating systems grant "all or nothing" administrative privileges based on the effective UID of the process that is running. If the process is running with the effective UID=0, it is granted all privileges. With fine-grained privileges, processes are granted only the privileges needed for the task and, optionally, only for the time needed to complete the task. Applications that are privilege-aware can elevate their privilege to the required level for the operation and lower it after the operation completes.
HP-UX Role-Based Access Control (HP-UX RBAC)
Typical UNIX system administration commands must be run by a superuser (root user). Similar to kernel level system call access, access is usually "all or nothing" based on the user's effective UID. HP-UX Role-Based Access Control (HP-UX RBAC) enables you to group common or related tasks into a role. For example, a common role might be User and Group Administration. Once the role is created, users are assigned a role or set of roles that enables them to run the commands defined by those roles.
When you implement HP-UX RBAC, you enable non-root users to perform tasks previously requiring root privileges, without granting those users complete root privileges.
For more information about HP-UX RBAC, refer to the HP-UX Role-Based Access Control B.11.23.04 Release Notes.
HP-UX Standard Mode Security Extensions (SMSE)
In addition to the new Security Containment features, HP-UX 11i v2 has been enhanced to support the following security features, previously available only in trusted mode:
Audit
The HP-UX auditing system records security-related events for analysis. Administrators use auditing to detect and analyze security breaches. Auditing is now available on standard mode HP-UX systems; it was previously available only on trusted mode systems.
User Database
Previously, all Standard Mode HP-UX security attributes and password policy restrictions were set on a systemwide basis. The introduction of the user database enables you to set security attributes on a per-user basis that overrides systemwide defaults.
You can use the user database to enforce the following security measures:
Lock a user account after a specified number of authentication failures ◦ Display the last successful and unsuccessful login ◦ Maintain a password history ◦ Expire inactive user accounts ◦ Prevent users from logging in with a null password ◦ Restrict users to logging in only during specified time periods
Features and Benefits 19

Benefits

Using HP-UX 11i Security Containment to secure your system offers the following benefits:
Integrated security
You can use HP-UX Standard Mode Security Extensions in combination with the new security containment features to enhance the security of your HP-UX systems.
Fewer users who need full superuser access to systems
Using HP-UX RBAC, you can give users specific administrator-level privileges on a system without giving those users full superuser access. These users can perform only specific administrative tasks on the system, as defined by their roles. This provides strong internal system security.
Isolation of system resources
Using compartments, you can isolate applications and resources on a single system. Even if the security of one application is compromised, other resources on the system remain secure.
Interoperable with existing HP-UX 11i security products
You can integrate HP-UX 11i Security Containment with your existing HP-UX security solution. HP-UX 11i Security Containment works with all other HP-UX 11i v2 security products and features.
No need to modify existing applications
HP-UX 11i Security Containment can be configured to be transparent at the application layer. You do not need to modify your existing applications to use HP-UX 11i Security Containment.
Interoperability with HP Serviceguard
HP Serviceguard is comparable with the HP-UX 11i Security Containment default configuration. Because Serviceguard requires communication and control between many processes and nodes, be sure to follow all constraints described in this document if you change the default containment configuration.
For more information about configuring HP-UX 11i Security Containment to ensure proper cluster operation for appropriate enforcement of security policies, refer to “Fine-Grained
Privileges in HP Serviceguard Clusters” and “Compartments inHP Serviceguard Clusters”.
20 HP-UX 11i Security Containment Introduction

2 Installation

This chapter contains the information you need to install and remove HP-UX 11i Security Containment, HP-UX Role-Based Access Control, and Standard Mode Security Extensions. This chapter addresses the following topics:
“Prerequisites and System Requirements”
“Installing HP-UX 11i Security Containment”
“Verifying the HP-UX 11i Security Containment Installation”
“Installing HP-UX Role-Based Access Control”
“Verifying the HP-UX Role-Based Access Control Installation”
“Installing HP-UX Standard Mode Security Extensions”
“Verifying the HP-UX Standard Mode Security Extensions Installation”
“Uninstalling HP-UX 11i Security Containment”
“Uninstalling HP-UX RBAC”
“Uninstalling HP-UX Standard Mode Security Extensions”

Prerequisites and System Requirements

You must meet the following system requirements to install HP-UX 11i Security Containment.

Hardware

HP 9000 systems
HP Integrity systems

Software

HP-UX 11i Version 2 September 2004 release or later

Disk Space

66 Mbytes

Installing HP-UX 11i Security Containment

The following procedures describe how to download and install the HP-UX 11i Security Containment product from the SecurityExt bundle. This bundle includes the following software:
Compartments
Fine-grained privileges
HP-UX RBAC
HP-UX SMSE
Audit
Subsequent sections of this chapter describe how to install the HP-UX RBAC, HP-UX SMSE, and audit features separately, from different software bundles. Refer to “Installing HP-UX Role-Based
Access Control” and “Installing HP-UX Standard Mode Security Extensions”.
Prerequisites and System Requirements 21
IMPORTANT: The HP-UX 11i Security Containment feature includes HP-UX RBAC as one of its components. If you install the HP-UX 11i Security Containment feature on a system that has HP-UX RBAC on it as an independent software unit, you must reconfigure HP-UX RBAC before you can use it with the fine-grained privileges and compartments components of HP-UX 11i Security Containment. Use the following command to reconfigure HP-UX RBAC:
# swconfig -x autoselect_dependencies=false -x reconfigure=true RBAC
To download the HP-UX 11i Security Containment bundle from Software Depot, follow these steps:
1. Go to HP Software Depot at http://www.hp.com/go/softwaredepot.
2. Search for HP-UX 11i Security Containment. Read the product information Web page for the latest updates and release information.
3. Click Receive for Free>>.
4. Choose the correct version of HP-UX 11i Security Containment for your system.
5. Enter your registration information. Read and accept the Terms and Conditions and the Software License Agreement.
6. Click Download. Save the HP-UX 11i Security Containment bundle, SecurityExt, as a local file on your system. For example:
/tmp/<security_containment_bundle>.depot
NOTE: The name of the HP-UX 11i Security Containment bundle may change. Check Software Depot for the correct bundle name.
7. Verify that the depot file is saved on your system by using the following command:
# swlist -d @ /tmp/<security_containment_bundle>.depot
To install HP-UX 11i Security Containment, follow these steps:
1. Be sure your system meets all requirements, as described in “Prerequisites and System
Requirements”.
2. Download the HP-UX 11i Security Containment bundle from Software Depot as described in the previous procedure.
3. Log in to your system as the root user.
4. Install HP-UX 11i Security Containment by using the following command:
# swinstall -x autoreboot=true -s /tmp/<security_containment_bundle>.depot SecurityExt
5. Go on to “Verifying the HP-UX 11i Security Containment Installation”.

Verifying the HP-UX 11i Security Containment Installation

Verify the installation of HP-UX 11i Security Containment with the following steps:
1. Run the swverify command to ensure that the bundle installed correctly:
# swverify SecurityExt
If the installation is successful, many files are displayed and a success message appears after the verification is complete.
2. Run the swlist command to verify that all parts of HP-UX 11i Security Containment are
22 Installation
configured correctly on your system:
# swlist -a state -l fileset SecurityExt
If the product is configured correctly, each fileset is displayed as configured.

Installing HP-UX Role-Based Access Control

The followingprocedure describes how to install only HP-UX RBAC from the HP-UX 11i Security Containment bundle. To download and install HP-UX RBAC as a separate product, refer to the HP-UX RBAC Version B.11.23.04 Release Notes on http://docs.hp.com. To download and install the full HP-UX 11i Security Containment feature set, refer to “Installing HP-UX 11i Security
Containment”.
NOTE: If you have installed the full HP-UX 11i Security Containment feature set, you already have HP-UX RBAC installed.
To install HP-UX RBAC, follow these steps:
1. Be sure your system meets all requirements, as described in “Prerequisites and System
Requirements”.
2. Download the HP-UX 11i Security Containment bundle from Software Depot, as described in “Installing HP-UX 11i Security Containment”.
3. Log in to your system as the root user.
4. Install HP-UX RBAC by using the following command:
# swinstall -x autoreboot=true -s /tmp/<security_containment_bundle>.depot RBAC
5. Go on to “Verifying the HP-UX Role-Based Access Control Installation”.
NOTE: If you install HP-UX RBAC version B.11.23.02 on a system with version B.11.23.01 already installed, and you have modified the database files, the new version does not overwrite the database files.

Verifying the HP-UX Role-Based Access Control Installation

Verify the installation of HP-UX RBAC with the following steps:
1. Run the swverify command to ensure that the bundle installed correctly:
# swverify RBAC
If the installation is successful, many files are displayed and a success message appears after the verification is complete.
2. Run the swlist command to verify that all parts of HP-UX RBAC are configured correctly on your system:
# swlist -a state -l fileset RBAC
If the product is configured correctly, each fileset is displayed as configured.

Installing HP-UX Standard Mode Security Extensions

The followingprocedure describes howto install onlyHP-UX Standard Mode Security Extensions (SMSE) from the HP-UX 11i Security Containment bundle. To download and install HP-UX SMSE as a separate product, refer to the HP-UX Standard Mode Security Extensions B.11.23.02 Release Notes (part number 5991–8711) on http://docs.hp.com. To install the full HP-UX 11i Security Containment feature set, refer to “Installing HP-UX 11i Security Containment”.
NOTE: If you have installed the full HP-UX 11i Security Containment feature set, you already have HP-UX SMSE installed.
To install HP-UX Standard Mode Security Extensions, follow these steps:
Installing HP-UX Role-Based Access Control 23
1. Be sure your system meets all requirements, as described in “Prerequisites and System
Requirements”.
2. Download the HP-UX 11i Security Containment bundle from Software Depot, as described in “Installing HP-UX 11i Security Containment”.
3. Log on to your system as the root user.
4. Install HP-UX Standard Mode Security Extensions by using the following command:
# swinstall -x autoreboot=true -s /tmp/<security_containment_bundle>.depot TrustedMigration PHCO_32144 PHCO_32163 PHCO_32451
5. Go on to “Verifying the HP-UX Standard Mode Security Extensions Installation”.

Verifying the HP-UX Standard Mode Security Extensions Installation

Verify the installation of HP-UX SMSE with the following steps:
1. Run the swverify command to ensure that the bundle installed correctly:
# swverify TrustedMigration
If the installation is successful, many files are displayed and a success message appears after the verification is complete.
2. Run the swlist command to verify that all parts of HP-UX SMSE are configured correctly on your system:
# swlist -a state -l fileset TrustedMigration
If the product is configured correctly, each fileset is displayed as configured.

Uninstalling HP-UX 11i Security Containment

This section describes how to remove the HP-UX 11i Security Containment product from your system.
CAUTION: HP recommends that you leave the SecurityExt bundle on yoursystem. Removing the entire bundle will remove many patches from your system. Instead, remove only the software products as described in the following procedure.
NOTE: You must remove HP-UX 11i Security Containment before you remove HP-UX RBAC or HP-UX SMSE, or you must remove all components at the same time.
To remove HP-UX 11i Security Containment, follow these steps:
1. Log in to your system as the root user.
2. Remove HP-UX 11i Security Containment and all associated software by using the following command:
# swremove -x autoreboot=true TrustedMigration RBAC Containment
3. Use the swlist command to verifythat HP-UX 11i SecurityContainment and allassociated components were removed from the system.
The swlist command will not report HP-UX 11i Security Containment if it was successfully removed from the system.

Uninstalling HP-UX RBAC

To remove HP-UX RBAC from your system, follow these steps:
24 Installation
1. Log in to your system as the root user.
2. Remove HP-UX RBAC by using the following command:
# swremove RBAC
3. Use the swlist command to verify that HP-UX RBAC was removed from the system. The swlist command will not report HP-UX RBAC if it was removed from the system.
NOTE: You must remove HP-UX 11i Security Containment before you remove HP-UX RBAC or HP-UX SMSE, or you must remove all components at the same time.

Uninstalling HP-UX Standard Mode Security Extensions

To remove HP-UX Standard Mode Security Extensions from your system, follow these steps:
1. Log in to your system as the root user.
2. Remove HP-UX Standard Mode Security Extensions using the following command:
# swremove TrustedMigration
3. Use the swlist command to verify that HP-UX Standard Mode Security Extensions was removed from the system. The swlist command will not report HP-UX Standard Mode Security Extensions if it was removed from the system.
NOTE: You must remove HP-UX 11i Security Containment before you remove HP-UX RBAC or HP-UX SMSE, or you must remove all components at the same time.
Uninstalling HP-UX Standard Mode Security Extensions 25
26
Loading...
+ 58 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use