Evaluated Configuration for HP Tru64 UNIX Version 5.1A ITSEC E1

HP Tru64 UNIX Version 5.1A, July 2004

Version 1.1

Evaluated Configuration for HP Tru64 UNIX Version 5.1A ITSEC E1

This Best Practice contains the information necessary to configure the security features of the HP Tru64 UNIX Version 5.1A operating system to match the configuration used for the ITSEC (Information Technology Security Evaluation Criteria) level E1 certification. The evaluated release consists of HP Tru64 UNIX Version 5.1A configured as described in this Best Practice, combined with the evaluated release patch kits, ITSEC_E1_CERTIFICATION_T64V51A and ITSEC_E1_PATCH_T64V51A. The ITSEC_E1_CERTIFICATION_T64V51A.tar and ITSEC_E1_PATCH_T64V51A.tar patch kits are available off of the HP IT Resource Center Patch Database Web page at

http://www.itrc.hp.com/service/patch/mainPage.do

You must register in order to use the HP IT Resource Center Web site. If you have not yet registered, do the following to register:

1. Click on the word "register", on the above page

2. Fill out the requested registration information

3. Click on Next>>

4. Fill out the personal profile information

5. Click on Finish>>

6. Make sure you remember your User ID and Password.

7. Complete the registration process

8. Wait for registration to be activated

To get the patch kits off of the support web site do the following:

1. Enter your User ID and Password on the above page

2. Click on login>>

3. Under the heading ">> find individual patches" click on >> Tru64 UNIX

4. Select OS revision "5.1A/TCR5.1A"

5. Select Search by Keyword and "itsec"

6. Click on Search>>

7. The search should find two matches “ITSEC_E1_CERTIFICATION_T64V51A” and “ITSEC_E1_PATCH_T64V51A”. Click on the box next to "ITSEC_E1_CERTIFICATION_T64V51A" and "ITSEC_E1_PATCH_T64V51A" in either the "Recommended" or "Most Recent" column.

8. Click on add to selected patch list>>

9. Click on download selected>>

10. In the "download items individually" section click on FTP>>

11. Use your browser to save the ITSEC_E1_CERTIFICATION_T64V51A.tar and the ITSEC_E1_PATCH_T64V51A.tar files on your system

See the HP Tru64 UNIX Best Practices documentation Web page for more information about other Best Practices documentation:

http://h30097.www3.hp.com/docs/best_practices/

Is This Best Practice Right for You?

This configuration document is required by ITSEC and might be of interest only to users who are required to replicate the environment under which the HP Tru64 UNIX Version 5.1A ITSEC E1 certification was granted. To use this Best Practice, you must meet the requirements described in the following table:

Requirement	Description
Operating System	HP Tru64 UNIX Version 5.1A
Patch Designation	`ITSEC_E1_CERTIFICATION_T64V51A and ITSEC_E1_PATCH_T64V51A`
Hardware	AlphaServer platforms: 1000A, 2000, 2100, 2100A, 4000, 4100, 8200, 8400, DS10, DS10L, DS20, DS20E, ES40, ES45, GS60E, GS80, GS140, GS160, and GS320. The following platforms are limited to single partition use: GS80, GS160, and GS320.
System Configuration	The system must be configured exactly as described in this document.
Impact on Availability	This configuration produces a stand-alone system; that is, no network is available.
Access	The person performing the configuration needs root access to the system

Before You Begin

Before you apply the Best Practice for Evaluated Configuration for HP Tru64 UNIX Version 5.1A ITSEC E1, you must thoroughly understand UNIX security and the enhanced security features of the HP Tru64 UNIX operating system as documented in the HP Tru64 UNIX Version 5.1A Security manual, including the implications of running in the ITSEC E1 configuration. The Security manual is included on your documentation CD-ROM and is also available off of the HP Tru64 UNIX online documentation Web site:

http://h30097.www3.hp.com/docs/

To get to the HP Tru64 UNIX Version 5.1A Security manual from the HP Tru64 UNIX documentation Web site: Click on "Tru64 UNIX Operating System", then on "Tru64 UNIX Version 5.1A Online Documentation", then on "System & Network Management Documentation Bookshelf", then on either "HTML" or "PDF" next to "Security".

You should also review the HP Tru64 UNIX Version 5.1A installation procedures in the HP Tru64 UNIX Version 5.1A Installation Guide, which is also included on your documentation CD-ROM and is also available off of the HP Tru64 UNIX online documentation Web site.

To get to the HP Tru64 UNIX Version 5.1A Installation Guide from the HP Tru64 UNIX documentation Web site: Click on "Tru64 UNIX Operating System", then on "Tru64 UNIX Version 5.1A Online Documentation", then on "System & Network Management Documentation Bookshelf", then on either "HTML" or "PDF" next to "Installation Guide".

If you are not familiar with the HP patch process, see the HP IT Resource Center Patch Database Web page:

http://www.itrc.hp.com/service/patch/mainPage.do

and the Patch Kit Installation Instructions manual on the HP Tru64 UNIX operating system and TruCluster patch kit documentation web site:

http://h30097.www3.hp.com/docs/patch

To get to the Patch Kit Installation Guide from the HP Tru64 UNIX patch documentation site: Click on "HTML" or "PDF" next to "Patch Kit Installation Instructions".

For the purposes of conforming to the E1 evaluated configuration, information in this Best Practice document supercedes any referenced document.

Applying the Best Practice

The following procedure establishes the evaluated configuration for the HP Tru64 UNIX V5.1A ITSEC-certified systems. The procedure assumes you are installing HP Tru64 UNIX Version 5.1A and the ITSEC_E1_CERTIFICATION_T64V51A and the ITSEC_E1_PATCH_T64V51A patch kits from CD-ROMs. Because this evaluated configuration does not have a network, you may need to make your own patch kit CD-ROM on another machine by downloading the ITSEC_E1_CERTIFICATION_T64V51A.tar and the ITSEC_E1_PATCH_T64V51A.tar files from the HP Tru64 UNIX patch Web site, verifying their integrity as instructed, and copying the contents to separate subdirectories on your own CD-ROM.

Installing the Operating System

To perform a full installation of HP Tru64 UNIX Version 5.1A on a single supported AlphaServer system, do the following:

1. From the console, boot the operating system CD-ROM using a command like the following:

>>> boot dqa0

2. Click OK for the English installation or select your preferred language.

3. Click Next to continue.

4. On the Host Information screen, enter the appropriate host name. The host name is the system name.

5. Enter the current date and time, the date is in US format (MM-DD-YYYY). Enter timezone and location information if necessary. Click Next to continue.

6. Enter a secure password for the root account. Click Next to continue.

7. From the Software Selection menu, select Customize. Click Next to continue.

8. From the Kernel Options menu, select Customize . Click Next to continue.

9. From the Select File System Layout menu, accept the Default File System Layout or configure the file system layout you require and continue by clicking Next.

10. Click Next again, if necessary, to go to the Installation Summary screen.

11. On the Installation Summary screen, click Edit List next to the Software Subsets: Customize option. The Software Subsets: Edit List screen is displayed.

Select the following optional subsets, in addition to the mandatory subsets:

o Reference Pages

§ Admin/User

o System Administration

§ Enhanced Security

§ Enhanced Security GUI

o Text Processing

§ Document Preparation Tools Extensions

Do not select or install any other optional subsets.

Note

When you accept the default file system layout (AdvFS) as the File System Type, the following subsets are installed as part of the mandatory subsets:

System Administration— AdvFS Commands

Kernel Build Environment — AdvFS Kernel Modules

12. Click OK to continue.

13. On the Installation Summary screen, click Finish.

14. On the Ready to Begin Installation screen, click OK.

The installation continues and loads the software subsets onto the disk.

15. After the subsets load the system reboots. The Installation screen is then displayed from which you can select the kernel options. Select the Audit Subsystem option and confirm your selection. Do not select any other options.

16. When prompted to edit the configuration file, accept the default answer "n" by pressing the Enter key.

A new kernel is built and the system reboots with the new kernel.

Initial System Configuration and Security Related Setup

This section describes the initial system configuration and security related setup that must be done after the install.

1. In the Login Window, enter the user name root and the password that you entered earlier. This action loads the Common Desktop Environment.

2. From the Tru64 UNIX System Setup menu, select Custom Setup.

The Checklist applications are used to configure the system, while the Checklist itself maintains a record of the configuration applications that have been completed. Use the Custom Setup Checklist.

3. On the Checklist, click License Manager.

4. On the License Manager, click Edit/New to enter your Tru64 UNIX license information on the New License screen. Click OK to save the entry.

5. On the Information screen, click OK to acknowledge that the entry has been registered and loaded.

6. Repeat steps 4 and 5 for each new license.

7. When you finish entering the licenses, click File/Exit .

8. From the Checklist menu, choose Security Configuration. Do the following:

a. Choose the ENHANCED system mode. Click Next to continue.

b. Click Next on the next two screens to select CUSTOM profile and the preselected Custom Options and advance to the System Options screen.

c. Click the check box next to Segment Sharing to clear it and disable segment sharing.

d. Click the check box next to Enable Access Control Lists to set it and enable the access control lists. Click Next to continue.

e. When prompted, change the root password. Click Next to continue.

f. Click Next to skip the NIS option configuration.

g. Click Finish. Click OK to complete Security configuration.

9. From the Checklist menu, select the Audit Configuration Utility. Do the following:

a. On the Welcome and Information screens, click Yes and click OK .

b. Click Next to continue. This accepts the default destination for the audit data log.

c. On the Action On Log File Space Exhaustion screen, select Halt the system from the pull-down list of possible actions. Click Next to continue.

d. Click Next to continue and to accept the default lifespan for the audit log — forever.

e. On the Advanced Audit Options screen DO NOT change the Audit console message destination or configure any remote clients, click Finish part one.

f. On the Audit Event Information screen, click Yes to proceed to part two.

g. On the Audit Event Category Selection screen, select all. Click Next.

h. Click Next to continue and to accept all defaults on the Advanced User Audit Event screen.

i. On the Advanced options screen: select Include argument list with an execv or execve system call; select Include failed login user names if they do not exist in the password database; select File Object selection. Click Finish.

j. On the Audit Configuration Complete screen ignore any warnings for No such file or directory, click OK.

10. On the Custom Setup screen, click Exit.

11. On the System Setup screen, click Exit.

12. On the lower tool bar, click the up arrow ( up-arrow ) above the icon of the pencil and paper.

13. Select Terminal to open a window on your system.

14. Enter the following command to set the audit events for the system:

# /usr/sbin/rcmgr set AUDITMASK_FLAG "-s exec_argp:1 -s login_uname:1 -s obj_sel:1 < /etc/sec/audit_events"

15. Set the user account contraints as described in the "Setting the User Account Controls" section below.

16. Set the Graphical User Interface (GUI) to XDM as described in the "Setting X Window System Support" section below. The GUI will be set to xdm on the next reboot.

17. Disable object reuse on all filesystems as described in the "Prevent Object Reuse" section below. Object reuse will be disabled for all filesystems on the next reboot.

18. Enter the following command to shut down your system:

# /sbin/shutdown -h now

19. Enter the following command to configure the console to automatically boot directly into multi-user mode.

>>> set auto_action BOOT

20. For the hardware that supports boot authentication, use the set password console command to set the console password as described in "The set password Console Command" section below. Use the set secure console command to secure the console as described in the "The set secure Console Command" section below. This enables boot authentication on the system.

21. For the hardware supporting a front panel keyswitch or keypush, the keyswitch or keypush must be placed in the secure position and the key removed. In this case, the hardware, including the front panel, must be located in a secure computer room with access restricted to trusted individuals with a need to access the hardware.

Installing the Patch Kits

This section explains how to install the ITSEC_E1_CERTIFICATION_T64V51A and the ITSEC_E1_PATCH_T64V51A patch kits.

To install the ITSEC_E1_CERTIFICATION_T64V51A patch kit do the following:

1. For systems that support boot authentication, use the login console command to temporarily disable boot authentication as described in the "The login Console Command" section below. For systems that don't support boot authentication, insert the front panel keyswitch or keypush and turn it to the unsecure position.

2. Enter the following command to reboot the system to single-user mode to prepare for installation of the ITSEC_E1_CERTIFICATION_T64V51A patch kit:

>>> boot -fl s

3. Enter the following command to prepare for installation of the ITSEC_E1_CERTIFICATION_T64V51A patch kit:

# /sbin/bcheckrc

4. From single-user mode, install the ITSEC_E1_CERTIFICATION_T64V51A patch kit for HP Tru64 UNIX Version 5.1A as described in the following steps. See the Patch Kit Installation Instructions manual for detailed information on the patch process.

Note

While the patch kit documentation instructs you to always use the latest available kit, only the ITSEC_E1_CERTIFICATION_T64V51A and the ITSEC_E1_PATCH_T64V51A patch kits and HP Tru64 UNIX Version 5.1A can be used for the evaluated configuration.

You can install the HP Tru64 UNIX Version 5.1A patch kits from the CD-ROM or from a local directory.

5. Run the dupatch utility from the CD-ROM or your local directory and answer the prompts as follows:

Top of patch distribution: ITSEC_E1_CERTIFICATION_T64V51A patch directory on the CD-ROM or your local disk.

From the Main Menu, choose 1) Patch installation.

From the Patch Installation Menu, choose 2) Check and install patches in single user mode.

When prompted, Press the Enter key to page through the SPECIAL INSTRUCTIONs.

When prompted, Do you want the patches to be reversible, answer "n".

When prompted, Your Name, enter the name of the person doing the patch.

After you enter your name, you are prompted to enter any notes about the operation that you want stored for future reference. Enter a string similar to the following: "installation of the ITSEC_E1_CERTIFICATION_T64V51A patch for the evaluated configuration". End your input with a period and press the Enter key.

Selecting patches: You are asked to enter your choices or to press RETURN to display the next screen. Press the Enter key until the message, Or you may choose one of the following options, is displayed. Choose the option, All of the above.

The installation lists the patches. When prompted, Is this correct, enter "y".

Note that the patch kit contains patches for files in all subsets, including many not installed in this configuration. It is normal to see many of the following messages: The patch will not be installed.

Press the Enter key to page through patches which failed in prerequisite testing.

Action to take: 1) Proceed with the n patches that passed the check.

When prompted, Do you a have a pre-existing configuration file, enter "n".

When prompted, Enter a name for the kernel configuration file. Accept the default.

When prompted, Do you want to replace it, enter "y".

When prompted to enter the Kernel options, select the Audit subsystem option.

When prompted, Do you want to edit the configuration file, enter "n".

The system displays the message Performing Kernel Build.

Press Enter to page through the Special Instructions for patches installed.

The message, A reboot is necessary to complete the patch installation, is displayed and you are prompted, Do you want to reboot the system now, enter "y".

The patch log is at /var/adm/patch/log/session.log.

Installation of the ITSEC_E1_CERTIFICATION_T64V51A patch kit is now complete.

To install the ITSEC_E1_PATCH_T64V51A patch kit do the following:

6. Enter the following command to shut down your system:

# /sbin/shutdown -h now

7. For systems that support boot authentication, use the login console command to temporarily disable boot authentication as described in the "The login Console Command" section below. For systems that don't support boot authentication, insert the front panel keyswitch or keypush and turn it to the unsecure position.

8. Enter the following command to reboot the system to single-user mode to prepare for installation of the ITSEC_E1_PATCH_T64V51A patch kit:

>>> boot -fl s

9. Enter the following command to prepare for installation of the ITSEC_E1_PATCH_T64V51A patch kit:

# /sbin/bcheckrc

10. From single-user mode, install the ITSEC_E1_PATCH_T64V51A patch kit for HP Tru64 UNIX Version 5.1A as described in the following steps. See the Patch Kit Installation Instructions manual for detailed information on the patch process.

11. Run the dupatch utility from the CD-ROM or your local directory and answer the prompts as follows:

Top of patch distribution: ITSEC_E1_PATCH_T64V51A patch directory on the CD-ROM or your local disk.

From the Main Menu, choose 1) Patch installation.

From the Patch Installation Menu, choose 2) Check and install patches in single user mode.

When prompted, Press the Enter key to page through the SPECIAL INSTRUCTIONs.

When prompted, Do you want the patches to be reversible, answer "y".

When prompted, Do you want to proceed with this installation with this setup, answer "y".

When prompted, Your Name, enter the name of the person doing the patch.

After you enter your name, you are prompted to enter any notes about the operation that you want stored for future reference. Enter a string similar to the following: "installation of the ITSEC_E1_PATCH_T64V51A patch for the evaluated configuration". End your input with a period and press the Enter key.

Selecting patches: You are asked to enter your choices or to press RETURN to redisplay the screen. Choose the option, All of the above.

When prompted, Is this correct, enter "y".

Press Enter to page through the Special Instructions for patches installed.

The patch log is at /var/adm/patch/log/session.log.

Installation of the ITSEC_E1_PATCH_T64V51A patch kit is now complete.

12. Enter the following command to shut down your system:

# /sbin/shutdown -h now

13. For the hardware supporting a front panel keyswitch or keypush, the keyswitch or keypush must be placed in the secure position and the key removed. For hardware that supports boot authentication, boot authentication will automatically be re-enabled by the reboot.

14. Enter the following command to boot the system:

>>> boot

Evaluated Configuration Compatibility

An evaluated configuration consists only of HP Tru64 UNIX Version 5.1A and the ITSEC_E1_CERTIFICATION_T64V51A and ITSEC_E1_PATCH_T64V51A patch kits, installed on supported hardware, as described in this Best Practice. Including or deleting subsets, other than as described in this Best Practice, results in a configuration that does not conform to the E1 evaluated configuration. The addition of other patch kits or manually applied patches changes the evaluated configuration and invalidates the certification. Ensure that your system consists only of the specified HP Tru64 UNIX Version 5.1A and the ITSEC_E1_CERTIFICATION_T64V51A and ITSEC_E1_PATCH_T64V51A patch kits.

Postinstallation Instructions

Once configured, the system must be operated and maintained in accordance with the instructions, recommendations and guidance for secure operation as described in this document and the HP Tru64 UNIX Version 5.1A Security manual appendix E, C2 Level Security Configuration. Some of the procedures from that manual are additionally noted for your convenience in this document.

For information on how the configuration can be verified to ensure conformance with the guidelines provided in this Best Practice, see the "Verifying the Evaluated Configuration" section below.

The above instructions result in a system configured to the following requirements:

· User account requirements:

o User account passwords must be at least eight characters in length.

o User accounts must be required to have passwords.

o Triviality checks must be enabled for user account passwords.

o Each user name must map to a unique user ID (UID) and each group name must map to a unique group ID (GID), to enforce individual accountability.

· Default audit locations must be used for the audit log.

· The audit subsystem must be configured and enabled.

· The audit subsystem must be configured such that audit data is not lost when the space for the audit log becomes full.

· The root user is responsible for all administration tasks. The root account must be used only for performing administration tasks or in exceptional circumstances, as defined in the site security policy. Users empowered with root access are required to first log on using their own accounts and obtain root privileges through the su command. This procedure retains accountability of root actions.

· Boot authentication must be enabled on the system for all systems with hardware that supports it. Boot authentication is not supported and is not claimed for hardware in the Alphaserver 8000 series and the GS series, which have a console keyswitch or keypush. For all other supported hardware, boot authentication is enabled via use of the SRM console commands. When boot authentication is enabled, the boot command will only allow a user to boot into multi-user mode from the default device. The setting of the default device is done automatically during installation of the HP Tru64 UNIX Version 5.1A operating system.

· For the hardware supporting boot authentication, the console password must be set as described in "The set password Console Command" section below. Then, boot authentication must be enabled as described in "The set secure Console Command" section below. Access to the console password must be limited to trusted individuals. (Console passwords are supported on all Alphaserver models included in the evaluation except the AlphaServer 8000 and GS ranges.)

· For the hardware supporting a front panel keyswitch or keypush, the keyswitch or keypush must be placed in the secure position and the key removed. In this case, the hardware, including the front panel, must be located in a secure computer room with access restricted to trusted individuals with a need to access the hardware.

· Any person with access to the root password must have the appropriate security clearance and be adequately trained for the role.

· Any person with the authority to issue privileged console commands must be informed of the responsibilities.

· For computers with a console password:

o The console password must always be set.

o The password must be kept confidential.

o Only personnel with the need to know should be given the password.

· For computers with a front panel keyswitch or keypush:

o The keyswitch or keypush must be in the following state at all times (except when maintenance requiring the use of privileged console commands is being performed):

- The keyswitch or keypush must be left in the secure position.

- The key must be removed and secured away from the computer.

o Access to the key for the processor front panel must be limited to personnel with the need to know.

· Access Control Lists (ACLs) for files containing authentication and audit data must be appropriately configured to protect them from unauthorized access.

· Objects created by users must be protected by default from unauthorized access.

· Standard UNIX permissions are used to provide default protections for objects created by users, and default ACL mechanisms are not used.

· Object Reuse for all filesystem objects must be disabled. See the "Prevent Object Reuse" section below for information on disabling object reuse for all filesystems.

Procedures and Policies for Operating in the E1 Environment

This section discusses security policy considerations required to ensure secure operation. It also discusses the security implications of some operational changes you may choose to make. For more information, refer to the HP Tru64 UNIX Version 5.1A Security manual, appendix E, C2 Level Security Configuration. HP recommends that you periodically review the items listed in the "Postinstallation Instructions" section above and verify that the current system settings are in compliance.

Changing the System Time

Every audit event is recorded with a timestamp. Check the system time weekly. If the system time has changed so that it is not sufficiently accurate for you to evaluate the information in the audit logs, update the system time as follows:

1. Shutdown the system to single-user mode.

2. Use the date(1) command to change the system time.

3. If you have changed the time such that when you return the system to multiuser mode the audit logs will contain events that overlap existing events, you will have to move the current set of audit log files from the audit directory in order to preserve the sequence of events.

4. Return the system to multi-user mode.

Recovering Audit Data After a System Crash

After a system crash, restart the system in single-user mode. Check to see if the audit logs have overflowed the audit log overflow threshold (the filesystem is more than 90 percent full). If necessary, free space on the filesystem before bringing the system to multiuser mode. If you must remove audit logs from the system to prevent the audit log overflow condition or for any other reason, the audit logs should be copied to secure removable media and stored in a secure location.

The audit data in memory at the time of the crash is automatically recovered and stored in /var/adm/crash/audit-data.{crash number}. To view this data, copy the file to /var/audit, rename it auditlog.{system}.{next_in_sequence}, and view with /usr/sbin/audit_tool. If there was no audit data present in memory at the time of the crash, the data file will not be created.

Auditing of Login Events for Individual Users

To audit login events on a per-user basis, the system administrator must enable auditing of login events at the system level.

Protection of Audit Logs

It is possible to configure audit logs to use other than the default locations. The default location for audit logs is adequately protected. If the default location for audit logs is not used, then the new location must be protected such that only the superuser can write to it.

Audit Log Overflow Thresholds

If the system is halted because the audit log threshold is set to a high number (for example, 99 percent) with an overflow action set to halt, then the superuser should verify the audit log overflow settings after the reboot. The audit log overflow settings can be altered to different values after the reboot.

Setting the User Account Controls

Set user account control defaults for all user accounts. By setting these values in the system default template, they will be applied to all users unless they are specifically overridden for an individual user.

To set values in the system default template from the dxaccounts GUI, proceed as follows:

# /usr/bin/X11/dxaccounts

1. From the View menu, select Local Templates.

2. Double-click the Default icon.

3. Click Security.

4. Under Turn To, select Password Controls.

5. Specify a value of at least 8 for Minimum Generated Length.

6. Specify a value of at least 8 for Minimum Chosen Length.

7. Under Turn To, select Password Options. Verify how a clear (unset) and a set option box appear on your system for this screen. On some systems a box that is clear (unset) has light shading, a box that is set has dark shading. On other systems a box that is set has a white tick-mark. Some of the options may already be correctly clear or set.

8. Set the box marked Password Required.

9. Set the box marked User Chooses Own.

10. Set the box marked System Generated.

11. Set the box marked Random Characters.

12. Set the box marked Random Letters.

13. Set the box marked Triviality Checks.

14. Click OK, then OK.

15. From the Options menu, select General. Verify how a clear (unset) and a set option box appear on your system for this screen. On some systems a box that is clear (unset) has light shading, a box that is set has dark shading. On other systems a box that is set has a white tick-mark. Some of the options may already be correctly clear or set.

16. Clear the box marked Allow Duplicate User IDs.

17. Clear the box marked Allow Duplicate Group IDs.

18. Set the box marked Require Passwords for New Accounts.

19. Click OK, and Accounts —> Close, to close dxaccounts and save the changes.

Setting a User's Password

When creating a new user account, the system administrator must always enter an initial password using the password selection information in Section 2.4 of the HP Tru64 UNIX Version 5.1A Security manual.

Setting X Window System Support

You must configure the X Windowing System (XDM) as your graphical interface instead of the Common Desktop Environment (CDE) on the evaluated system. Do the following to configure the system for XDM:

# /usr/sbin/rcmgr set XLOGIN xdm

Once the configuration has been set, reboot the system for the changes to take effect.

Prevent Object Reuse

To prevent object reuse for all filesystems, enable object safety.

· To enable object safety on each AdvFS Filesystem (only do this once for each filesystem, it persist across reboots):

# /sbin/chfsets -o objectsafety <domain_name> <fileset_name>

· To enable object safety on all UFS Filesystems, create the file /etc/ufs_object_safety.stanza containing the text:

ufs:

ufs_object_safety = 1

Add the ufs_object_safety entry to the /etc/sysconfigtab file:

# /sbin/sysconfigdb -a -f /etc/ufs_object_safety.stanza ufs

Object safety on UFS filesystems will not take effect until after the system has been rebooted.

Using the SRM Console

The SRM console is a command-line interface for access to the firmware features of the AlphaServer platforms. The SRM console code resides in a portion of the system flash ROMs.

The SRM is more suited as a troubleshooting tool than other consoles. During troubleshooting, you might need to switch to the SRM console to locate an otherwise unobtainable piece of information.

Console security features, which restrict access to certain console commands, are intended to prevent unauthorized users from modifying system parameters or otherwise tampering with the system from the console. The SRM console supports two modes:

· Secure mode allows access only to specific console commands:

>>> start

>>> continue

>>> boot (with stored default parameters)

>>> login

· User mode allows access to all SRM console commands.

Note

The security features work only if access to the system hardware is controlled. Be sure to keep the front panel of the system locked and the key secure.

The following sections document how to use the SRM console for security-relevant functions on the Alphaserver models that support boot authentication.

The `set secure` Console Command

Use the set secure command to enable boot authentication without restarting the SRM console.

· If the console password has been set, the following results in access being limited to the start, continue, boot (with stored default parameters), and login commands:

>>> set secure

Console is secure. Please login.

>>>

· If the password has not been set, the console prompts you to set it:

>>> set secure

Secure not set. Please set the password.

>>>

The `set password` Console Command

Use the set password command to set or change the SRM console password.

· If the password has been set, the console prompts you for a new password and verification, then for the old password:

>>> set password

Please enter the password:

Please enter the password again:

Now enter the old password:

>>>

Note

The password length must be a minimum of 15 and no more than 30 alphanumeric characters. Any characters after the 30th character are not stored.

· If the validation password does not match the one previously set, the password does not change:

>>> set password

Please enter the password:

Please enter the password again:

Validation error

>>>

· If the password has not been set, the SRM console prompts you for a new password and verification:

>>> set password

Please enter the password:

Please enter the password again:

>>>

The `login`Console Command

Use the login command to turn off the console security features and gain access to all the SRM console commands during a particular session.

· If a password has not been set when you enter the login command, you are prompted to optionally set it. Press the return key.

>>> login

Secure not set. Please set the password: <return>

>>>

When the console prompt is displayed again, the console is no longer in secure mode.

· If a password has been set when you enter the login command, you must enter the password at the prompt:

>>> login

Please enter the password: <return>

>>>

If the password you enter matches the current password, the secure mode is turned off and all console commands can be used. You can then return to secure mode by initializing the system or entering the boot, continue, or start command.

· If you forget the password, you can use the login command and the Halt switch to clear the password as follows:

o Check that the Halt switch is off.

o Enter the login command.

o When the Enter Password: prompt is displayed, press the Halt switch, then press the Return key.

o Set the Halt switch to off.

The password is now cleared and the secure mode cannot be reinstated until you set a new password.

Note

If you leave the Halt switch on after you clear the password, the system will not boot.

The `clear password`Console Command

The clear password command clears the password environment variable and sets it to zero. Use this command when you want access to all SRM console commands, but the system is in secure mode. To use the clear password, you must know the current password.

>>> clear password

Please enter the password: <return>

Password successfully cleared

>>>

If you do not know the password, see "The login Console Command" section above

Verifying the Evaluated Configuration

After you apply the Best Practice for Evaluated Configuration, you can verify whether it was successful.

The following procedure describes how to verify that your system conforms to the evaluated configuration.

· To verify that HP Tru64 UNIX Version 5.1A is installed on the system:

# sizer -v

The following should be displayed:

Compaq Tru64 UNIX V5.1A (Rev. 1885); <date of kernel build>

· To verify that security is set to enhanced, enter the following command line:

# /usr/sbin/rcmgr get SECURITY

The following should be displayed:

ENHANCED

· To verify that segment sharing is disabled, enter the following command line:

# /sbin/sysconfig -q vm | grep segmentation

The following should be displayed:

vm_segmentation = 0

· To verify that Access Control Lists are enabled, enter the following command line:

# /sbin/sysconfig -q sec | grep acl

The following should be displayed:

acl_mode = enable

· To verify that auditing is configured properly, enter the following command line:

# /usr/sbin/rcmgr get AUDITMASK_FLAG

The following should be displayed:

-s exec_argp:1 -s login_uname:1 -s obj_sec:1 < /etc/sec/audit_events

· To verify that auditing is running, enter the following command line:

# ps ax | grep auditd

The ps should show the auditd process is running

· To verify the audit events being audited, enter the following command:

#/usr/sbin/auditmask

The displayed list of events should match those in the /etc/sec/audit_events file.

· To verify that default audit location (/var/audit/auditlog.nnn) was used for the audit log, enter the following command:

#/usr/sbin/auditd -q

· To verify that audit data will not be lost when the space for the audit log becomes full and that auditing of remote events is not enabled, enter the following command:

#/usr/sbin/auditd -w

The action to take on overflow should be to halt the system.

The network audit server status should be off.

· To verify that the proper defaults are set up for user accounts enter the following command:

#/usr/sbin/edauth -g -d d default

The system default template should include, but is not limited to, the following entries. These entries are described on the prpasswd man page.

u_minlen#8

u_minchosen#8

u_nullpw@

u_pickpw

u_genpwd

u_genchars

u_genletters

u_restrict

· To verify that triviality checks are enabled:

o Use /usr/bin/X11/dxaccounts to create an unprivileged user account.

o Log in to the account.

o Attempt to set the password to "password" or some common English word. These passwords should be rejected.

· To verify that minimum password length is set to 8, log in as an unprivileged user and attempt to change the password to a seven-character password.

· To verify that xdm is selected as the GUI, enter the following command line:

# /usr/sbin/rcmgr get XLOGIN

The following should be displayed:

xdm

· To check that object safety is enabled on AdvFS Filesystems, do the following for each filesystem:

# /sbin/chfsets <domain_name> <fileset_name>

"Object Safety" should be "on"

· To check that object safety is enabled on all UFS Filesystems:

# /sbin/sysconfig -q ufs | grep object

The following should be displayed:

ufs_object_safety = 1

· To verify that all patches installed on the system came from the ITSEC_E1_CERTIFICATION_T64V51A and ITSEC_E1_PATCH_T64V51A patch kits:

# /usr/sbin/dupatch

Enter your choice: 4 (Patch Tracking)

Enter your choice: 3 (List patch kit information on installed patches)

Enter your choice: 3 (List all kit information)

The following patch kits should be listed:

- T64V15AB24AS0006-20031031 OSF520

- T64KIT0022794-V51AB24-20040629 OSF520

No other patch kits should be listed

· To verify that the list of patches installed is the same as originally installed from the two patch kits:

# /usr/sbin/dupatch

Enter your choice: 4 (Patch Tracking)

Enter your choice: 1 (List installed patches)

Enter your choice: 3 (List all patches)

Check that the list of patches is the same as that in the /var/adm/patch/log/event.log file. The event.log file lists the patches in the form OSFPAT0nnnnnnn520 where nnnnnnn is the patch nnnnn.nn.

Comments and Questions

We value your comments and questions on the information in this document. Please mail your comments to us at this address:

best_practices@zk3.dec.com

Legal Notice

UNIX^® and The Open Group^TM are trademarks of The Open Group^TM in the U.S. and/or other countries. All other product names mentioned herein may be trademarks of their respective companies.

Confidential computer software. Valid license from HP and/or its subsidiaries required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Neither HP nor any of its subsidiaries shall be liable for technical or editorial errors or omissions contained herein. The information is provided "as is" without warranty of any kind and is subject to change without notice. The warranties for HP products are set forth in the express limited warranty statements accompanying such products. Nothing herein should be construed as constituting an additional warranty.