forum topics hp-ux unix security sharing files in hp-ux unix with windows excaliburedge password...
TRANSCRIPT
GAYLORD TEXAN RESORT – LAKE GRAPEVINE, TEXAS
CONFERENCE – OCTOBER 21-22, 2004
PRE-CONFERENCE TRAINING – OCTOBER 18-19, 2004
GOLF TOURNAMENT & ACTIVITIES – OCTOBER 20, 2004
FORUM TOPICS
HP-UX UNIX Security
Sharing files in HP-UX UNIX with Windows
ExcaliburEDGE Password Validation
Presenter
Rod HunleyExcalibur Systems Support Manager
P2 Energy Solutions303.292.0990
STS Staff
• Tony Castillo
• Jim Cannon
• Rod Hunley
• Byron Ward
• Kham Laychaypha
OVERVIEW• HP-UX UNIX Security
• Importance of security• Definitions• HP-UX with un-trusted mode• HP-UX with shadow passwords • HP-UX with TCB (trusted mode)• HP-UX & PAM/NTLM • HP-UX & TCB & PAM/NTLM
• Sharing files in HP-UX UNIX with Windows• SAMBA• CIFS/9000
OVERVIEW• ExcaliburEDGE Password Validation
• Setups• Password Validation Options
• References
HP-UX UNIX Security
• Importance of security• Protect corporate information from:
– theft, corruption, or unauthorized access
• Comply with internal IT standards• Comply with Sarbanes-Oxley (SOX) audits
HP-UX UNIX Security • Definitions
• What is a login?• The UNIX program which reads and verifies a user's user name
and password and starts an interactive session
• Why is a user name important?• Only authenticated users are allowed access to the UNIX server• Access to programs/files are based on user names and groups
• How does the verification work?• The entered user’s name is compared to a list of names in a
system file, and then the entered password is compared the encrypted password stored in a system file
HP-UX UNIX Security
HP-UX (un-trusted mode) Un-trusted mode
Standard delivery on HP-UX servers
Concept Authenticate & validate against /etc/passwd file
HP-UX UNIX Security
• HP-UX (un-trusted mode)• /etc/passwd file structure (colon delimited)
• username
• encrypted password
• user number
• group number
• 4 optional text fields separated by commas
• user’s home directory• startup shell
HP-UX UNIX Security #cat /etc/passwdroot:/.57wLPQp2cV6:0:3::/:/sbin/kshrootlike:/.57wLPQp2cV6:0:3::/:/sbin/kshdaemon:*:1:5::/:/sbin/shbin:*:2:2::/usr/bin:/sbin/shsys:*:3:3::/:adm:*:4:4::/var/adm:/sbin/shuucp:*:5:3::/var/spool/uucppublic:/usr/lbin/
uucp/uucico
HP-UX UNIX Security lp:*:9:7::/var/spool/lp:/sbin/shnuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucicohpdb:*:27:1:ALLBASE:/:/sbin/shnobody:*:-2:-2::/:www:*:30:1::/:webadmin:*:40:1::/usr/obam/server/nologindir:/usr/bin/falsesmbnull:*:101:101:DO NOT USE OR DELETE - needed by
Samba:/home/smbnull:/sbin/shopc_op:*:777:77:OpC default operator:/home/opc_op:/usr/bin/kshunidata:CuRdujgUu53qA:200:200:,,,:/home/unidata:/usr/bin/ksh
HP-UX UNIX Security
HP-UX (un-trusted mode) Ownership & permissions of important files Issues with this security setup
Encrypted password is in a world readable file Possible that file would be read and passwords
“cracked”
#ls -la /etc/passwd
-r--r--r-- 1 root sys 818 Aug 20 15:39 /etc/passwd
HP-UX UNIX Security HP-UX with shadow passwords
Concept Move encrypted passwords to a file that is secure
Requirements HP-UX 11.11(i) Only
Implementation Install HP supplied software bundle Run conversion program Reboot
HP-UX UNIX Security HP-UX with shadow passwords Verification of a shadow password bundle installation#swlist# Initializing...# Contacting target "siafu.petroleumplace.com"...## Target: siafu.petroleumplace.com:/### Bundle(s):#... ShadowPassword B.11.11.01 HP-UX 11.11 Shadow Password Bundle.
HP-UX UNIX Security HP-UX with shadow passwords
Structure of /etc/password with shadow passwordsEncrypted password is moved and replaced with an “x”
#cat /etc/passwd (after conversion)root:x:0:3::/:/sbin/kshrootlike:x:0:3::/:/sbin/kshdaemon:x:1:5::/:/sbin/shbin:x:2:2::/usr/bin:/sbin/shsys:x:3:3::/:adm:x:4:4::/var/adm:/sbin/shuucp:x:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucicolp:x:9:7::/var/spool/lp:/sbin/shnuucp:x:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucicohpdb:x:27:1:ALLBASE:/:/sbin/shnobody:x:-2:-2::/:www:x:30:1::/:webadmin:x:40:1::/usr/obam/server/nologindir:/usr/bin/falsesmbnull:x:101:101:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/shopc_op:x:777:77:OpC default operator:/home/opc_op:/usr/bin/kshunidata:x:200:200:,,,:/home/unidata:/usr/bin/ksh#ls -la /etc/passwd-r--r--r-- 1 root sys 818 Aug 20 15:39 /etc/passwd
HP-UX UNIX Security#ls -la /etc/shadow-r-------- 1 root sys 470 Aug 20 15:39 /etc/shadow#cat /etc/shadowroot:/.57wLPQp2cV6:12650::::::rootlike:/.57wLPQp2cV6:12650::::::daemon:*:12650::::::bin:*:12650::::::sys:*:12650::::::adm:*:12650::::::uucp:*:12650::::::lp:*:12650::::::nuucp:*:12650::::::hpdb:*:12650::::::nobody:*:12650::::::www:*:12650::::::webadmin:*:12650::::::smbnull:*:12650::::::opc_op:*:12650::::::unidata:CuRdujgUu53qA:12650::::::
HP-UX UNIX SecurityHP-UX with TCB (Trusted Mode)What is TCB?
The Hewlett-Packard C2-level trusted system consists of the HP-UX operating system configured in trusted mode and its commands, utilities, and subsystems along with supported hardware. This results in a system designed to meet the criteria of a C2-level trusted system, as described in Section 2.2 of the Department of Defense Trusted Computer System Evaluation Criteria , DOD 5200.28-STD, December 1985, and the E3/FC2 security level as defined by the Information Technology Security Evaluation Criteria (ITSEC) established by the European Community.
HP-UX UNIX Security
HP-UX with TCB (Trusted Mode) Why is TCB better than un-trusted system or
shadow password system? Provides more stringent password authentication
and system auditing Terminal access control Time-base access controls
HP-UX UNIX Security
HP-UX with TCB (Trusted Mode) How is it implemented?
An understanding of the trusted system structure A lot of planning Train support personnel Run SAM to run conversion to TCB Be prepared initially for questions/problems
HP-UX UNIX SecurityHP-UX with TCB (Trusted Mode)Encrypted password is moved and replaced with an “*”#cat /etc/passwd (after conversion to trusted system)root:*:0:3::/:/sbin/kshdaemon:*:1:5::/:/sbin/shbin:*:2:2::/usr/bin:/sbin/shsys:*:3:3::/:adm:*:4:4::/var/adm:/sbin/shuucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucicolp:*:9:7::/var/spool/lp:/sbin/shnuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucicohpdb:*:27:1:ALLBASE:/:/sbin/shwww:*:30:1::/:webadmin:*:40:1::/usr/obam/server/nologindir:/usr/bin/falsesmbnull:*:103:103:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/shopc_op:*:777:77:OpC default operator:/home/opc_op:/usr/bin/kshtftp:*:510:8:Trivial FTP user:/usr/tftpdir:/usr/bin/falsensmail:*:110:101:NetScape Mail,,,:/home/nsmail:/usr/bin/shmailsrv:*:102:101:Netscape Mail Server,,,:/home/mailsrv:/usr/bin/shunidata:*:204:200:unidata user:/home/unidata:/usr/bin/ksh
HP-UX UNIX SecurityHP-UX with TCB (Trusted Mode)#ls -ld /tcbdr-xr-x--x 3 root sys 96 Apr 29 13:36 /tcb#ls -ld /tcb/filesdrwxrwx--x 3 root sys 96 Apr 29 13:36 /tcb/files#ls -ld /tcb/files/authdrwxrwx--x 55 root sys 1024 Apr 29 13:36 tcb/files/auth#cd /tcb/files/auth# lsA G M S Y e k q vB H N T Z f l r wC I O U a g m s xD J P V b h n system yE K Q W c i o t zF L R X d j p u#ls –ld /tcb/files/auth/udrwxrwx--- 2 root sys 96 Aug 20 21:30 u
HP-UX UNIX SecurityHP-UX with TCB (Trusted Mode)#cd u#ls -latotal 8drwxrwx--- 2 root sys 96 Aug 20 21:30 .drwxrwx--x 55 root sys 1024 Apr 29 13:36 ..-rw-rw-r-- 1 root root 210 Aug 20 21:30 unidata-rw-rw-r-- 1 root root 151 Apr 29 13:36 ursetta-rw-rw-r-- 1 root root 126 Apr 29 13:36 uucp#cat unidataunidata:u_name=unidata:u_id#204:\ :u_pwd=P36658YzF7/z6:\ :u_auditid#22:\ :u_auditflag#1:\:u_pswduser=unidata:u_suclog#1083267371:u_unsuclog#1093059008:u_unsuctt
y=pts/ta:\ :u_numunsuclog#6:u_lock@:chkent:
HP-UX UNIX Security HP-UX & PAM/NTLM
What is PAM? The pluggable authentication module (PAM) framework provides the ability
to incorporate multiple authentication mechanisms into an existing system through the use of pluggable modules. The PAM framework consists of a library, pluggable modules, and a configuration file. “Out-of-the-box” HP-UX PAM is set of perform UNIX authentication, however other types can be plugged in, for example, NTLM and Kerberos 5, used by Windows Active Directory.
Concept authenticate UNIX logins against Windows Active Directory, not the
UNIX password files
HP-UX UNIX Security• HP-UX & PAM/NTLM
• What are the prerequisites?• CIFS/9000(Samba) must be:
• installed• running in Domain Authentication mode• UNIX server must have joined the Domain
• UNIX /etc/passwd file still has to exist and new users created on UNIX server
• This depends upon combinations of sufficient vs. required
• How is it implemented?• Replace and configure /etc/pam.conf file
HP-UX UNIX SecurityHP-UX & PAM/NTLM
Sample /etc/pam.conf# cat /etc/pam.conf## PAM Configuration## Account Management#dtaction account required /usr/lib/security/libpam_unix.1dtlogin account required /usr/lib/security/libpam_unix.1ftp account required /usr/lib/security/libpam_unix.1login account sufficient /usr/lib/security/libpam_ntlm.1login account required /usr/lib/security/libpam_unix.1su account required /usr/lib/security/libpam_unix.1OTHER account required /usr/lib/security/libpam_unix.1## Authentication Management#dtaction auth required /usr/lib/security/libpam_unix.1dtlogin auth required /usr/lib/security/libpam_unix.1ftp auth required /usr/lib/security/libpam_ntlm.1
HP-UX UNIX Securitylogin auth sufficient /usr/lib/security/libpam_ntlm.1login auth required /usr/lib/security/libpam_unix.1 try_first_passsu auth required /usr/lib/security/libpam_unix.1OTHER auth required /usr/lib/security/libpam_unix.1## Password Management#dtaction password required /usr/lib/security/libpam_unix.1dtlogin password required /usr/lib/security/libpam_unix.1login password sufficient /usr/lib/security/libpam_ntlm.1login password required /usr/lib/security/libpam_unix.1passwd password required /usr/lib/security/libpam_unix.1OTHER password required /usr/lib/security/libpam_unix.1## Session Management#dtaction session required /usr/lib/security/libpam_unix.1dtlogin session required /usr/lib/security/libpam_unix.1login session required /usr/lib/security/libpam_unix.1OTHER session required /usr/lib/security/libpam_unix.1#
HP-UX UNIX Security
HP-UX & TCB & PAM/NTLM Concept
authenticate user against Windows Active Directory while having the UNIX passwords in a secure location
Implementation This is combination of two previously discussed
methods
HP-UX UNIX File Sharing
SAMBA
What is it?Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Samba is software that can be run on a platform other than Microsoft Windows that allows the host to interact with a Microsoft Windows client or server as if it is a Windows file and print server.
HP-UX UNIX File Sharing
CIFS/9000 What is it?
CIFS/9000 provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols. CIFS/9000 implements both the server and client components of the CIFS protocol on HP-UX.
The current CIFS/9000 Server (version A.01.08) is based on the well-established open-source software Samba, version 2.2.3a, and provides file and print services to CIFS clients including Windows NT, XP, 2000 and HP-UX machines running CIFS/9000 Client software.
HP-UX UNIX File Sharing
CIFS/9000 What is CIFS/9000 used for in ExcaliburEDGE
software? Its main function in ExcaliburEDGE is to allow a Windows-
based PC to map a network drive to a directory structure on a UNIX server
It allows the Windows user the ability “drag ’n’ drop” files to and from the UNIX server to previously configured locations
HP-UX UNIX File Sharing
CIFS/9000 How is it implemented?
Preloaded on all new HP servers Can be installed from a HP supplied depot file May require HP-UX patches before installation
HP-UX UNIX File Sharing CIFS/9000
Considerations Authentication options
Domain User Share
HP-UX user ids ids same as Windows ids different than Windows
Sharing Define UNIX directories to be shared
Permissions Read only Write
HP-UX UNIX File Sharing
CIFS/9000 Configuration
smb.conf man smb.conf
HP-UX server joins the Domain man smbpasswd
Use PCs use Windows Explorer to map drives to shares on
UNIX server
HP-UX UNIX File SharingCIFS/9000Sample /etc/opt/samba/smb.conf# Samba config file created using SWAT# from 172.16.7.17 (172.16.7.17)# Date: 2003/06/18 15:01:33# Global parameters[global] workgroup = EAED1 netbios name = HELIOS security = DOMAIN encrypt passwords = Yes password server = devnt2 username map = /etc/opt/samba/usermap.txt printcap name = /var/opt/samba/printers local master = No wins server = 172.16.10.60 guest account = ftp[printers] path = /var/spool/lp/public guest ok = Yes printable = Yes
HP-UX UNIX File SharingCIFS/9000Sample /etc/opt/samba/smb.conf (continued) [homes] comment = Home Directories path = /home/%S writeable = Yes create mask = 0775[tmp] comment = /tmp on helios path = /tmp writeable = Yes create mask = 0775 guest ok = Yes
HP-UX UNIX File SharingSample /etc/opt/samba/smb.conf (continued) [hold] comment = /sb/SB.EXC/_HOLD_ on helios path = /sb/SB.EXC/_HOLD_ writeable = Yes create mask = 0775 guest ok = Yes[GVMI_UPLOAD] comment = /sb/SB.EXC/data/GL/GVMI_UPLOAD on helios path = /sb/SB.EXC/data/GL/GVMI_UPLOAD writeable = Yes create mask = 0775 guest ok = Yes [alltests] comment = /sb/SB.EXC/data/EDI/alltests path = /sb/SB.EXC/data/EDI/alltests writeable = Yes create mask = 0775
ExcaliburEDGE Password Validation
Setups User Group Menus
ExcaliburEDGE Password Validation
• Default (as delivered by IBM)• Authentication against the SB+ security files• Password is validated against the SB+ encrypted
password• No password composition rules are in effect• Null password is allowed
ExcaliburEDGE Password Validation
ExcaliburEDGE Password Validation
• SB Supplied• SB+ password validation can be turned by STS staff• It will enforce the following rules:
1-Password that contains a sequence of letters or numbers of 3 or more, such as ABC, or 123.
2-Password that contains repetitive characters of 3 or more, such as using the same letter 3 times in a row, like AAA.
3-Password can not contain comma.4-Password can not be one of the last 10 password used.5-Password can not be all numeric.6-Password can not be null.7-Password can not be the same as the user id.8-Password must be between 4-50 characters.
ExcaliburEDGE Password Validation
Custom SB Supplied rules + custom programming
Lock account after a user defined number of unsuccessful tries
Custom programming More stringent password composition rules Plus rules 1-4 of the 8 SB supplied rules
REFERENCESAdministering Your HP-UX Trusted Systemhttp://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90121/B2355-
90121_top.html&con=/hpux/onlinedocs/B2355-90121/00/00/7-con.html&toc=/hpux/onlinedocs/B2355-90121/00/00/7-toc.html&searchterms=tcb&queryid=20040823-165133
SAMBAhttp://us1.samba.org/samba/
CIFS/9000 http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B8725-90021/B8725-
90021_top.html&con=/hpux/onlinedocs/B8725-90021/00/00/3-con.html&toc=/hpux/onlinedocs/B8725-90021/00/00/3-toc.html&searchterms=CIFS/9000&queryid=20040827-082019