forum topics hp-ux unix security sharing files in hp-ux unix with windows excaliburedge password...

GAYLORD TEXAN RESORT – LAKE GRAPEVINE, TEXAS

CONFERENCE – OCTOBER 21-22, 2004

PRE-CONFERENCE TRAINING – OCTOBER 18-19, 2004

GOLF TOURNAMENT & ACTIVITIES – OCTOBER 20, 2004

FORUM TOPICS

HP-UX UNIX Security

Sharing files in HP-UX UNIX with Windows

ExcaliburEDGE Password Validation

Presenter

Rod HunleyExcalibur Systems Support Manager

P2 Energy Solutions303.292.0990

[email protected]

mailto:[email protected]

STS Staff

• Tony Castillo

• Jim Cannon

• Rod Hunley

• Byron Ward

• Kham Laychaypha

OVERVIEW• HP-UX UNIX Security

• Importance of security• Definitions• HP-UX with un-trusted mode• HP-UX with shadow passwords • HP-UX with TCB (trusted mode)• HP-UX & PAM/NTLM • HP-UX & TCB & PAM/NTLM

• Sharing files in HP-UX UNIX with Windows• SAMBA• CIFS/9000

OVERVIEW• ExcaliburEDGE Password Validation

• Setups• Password Validation Options

• References

HP-UX UNIX Security

• Importance of security• Protect corporate information from:

– theft, corruption, or unauthorized access

• Comply with internal IT standards• Comply with Sarbanes-Oxley (SOX) audits

HP-UX UNIX Security • Definitions

• What is a login?• The UNIX program which reads and verifies a user's user name

and password and starts an interactive session

• Why is a user name important?• Only authenticated users are allowed access to the UNIX server• Access to programs/files are based on user names and groups

• How does the verification work?• The entered user’s name is compared to a list of names in a

system file, and then the entered password is compared the encrypted password stored in a system file

HP-UX UNIX Security

HP-UX (un-trusted mode) Un-trusted mode

Standard delivery on HP-UX servers

Concept Authenticate & validate against /etc/passwd file

HP-UX UNIX Security

• HP-UX (un-trusted mode)• /etc/passwd file structure (colon delimited)

• username

• encrypted password

• user number

• group number

• 4 optional text fields separated by commas

• user’s home directory• startup shell

HP-UX UNIX Security #cat /etc/passwdroot:/.57wLPQp2cV6:0:3::/:/sbin/kshrootlike:/.57wLPQp2cV6:0:3::/:/sbin/kshdaemon:*:1:5::/:/sbin/shbin:*:2:2::/usr/bin:/sbin/shsys:*:3:3::/:adm:*:4:4::/var/adm:/sbin/shuucp:*:5:3::/var/spool/uucppublic:/usr/lbin/

uucp/uucico

HP-UX UNIX Security lp:*:9:7::/var/spool/lp:/sbin/shnuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucicohpdb:*:27:1:ALLBASE:/:/sbin/shnobody:*:-2:-2::/:www:*:30:1::/:webadmin:*:40:1::/usr/obam/server/nologindir:/usr/bin/falsesmbnull:*:101:101:DO NOT USE OR DELETE - needed by

Samba:/home/smbnull:/sbin/shopc_op:*:777:77:OpC default operator:/home/opc_op:/usr/bin/kshunidata:CuRdujgUu53qA:200:200:,,,:/home/unidata:/usr/bin/ksh

HP-UX UNIX Security

HP-UX (un-trusted mode) Ownership & permissions of important files Issues with this security setup

Encrypted password is in a world readable file Possible that file would be read and passwords

“cracked”

#ls -la /etc/passwd

-r--r--r-- 1 root sys 818 Aug 20 15:39 /etc/passwd

HP-UX UNIX Security HP-UX with shadow passwords

Concept Move encrypted passwords to a file that is secure

Requirements HP-UX 11.11(i) Only

Implementation Install HP supplied software bundle Run conversion program Reboot

HP-UX UNIX Security HP-UX with shadow passwords Verification of a shadow password bundle installation#swlist# Initializing...# Contacting target "siafu.petroleumplace.com"...## Target: siafu.petroleumplace.com:/### Bundle(s):#... ShadowPassword B.11.11.01 HP-UX 11.11 Shadow Password Bundle.

HP-UX UNIX Security HP-UX with shadow passwords

Structure of /etc/password with shadow passwordsEncrypted password is moved and replaced with an “x”

#cat /etc/passwd (after conversion)root:x:0:3::/:/sbin/kshrootlike:x:0:3::/:/sbin/kshdaemon:x:1:5::/:/sbin/shbin:x:2:2::/usr/bin:/sbin/shsys:x:3:3::/:adm:x:4:4::/var/adm:/sbin/shuucp:x:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucicolp:x:9:7::/var/spool/lp:/sbin/shnuucp:x:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucicohpdb:x:27:1:ALLBASE:/:/sbin/shnobody:x:-2:-2::/:www:x:30:1::/:webadmin:x:40:1::/usr/obam/server/nologindir:/usr/bin/falsesmbnull:x:101:101:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/shopc_op:x:777:77:OpC default operator:/home/opc_op:/usr/bin/kshunidata:x:200:200:,,,:/home/unidata:/usr/bin/ksh#ls -la /etc/passwd-r--r--r-- 1 root sys 818 Aug 20 15:39 /etc/passwd

HP-UX UNIX Security#ls -la /etc/shadow-r-------- 1 root sys 470 Aug 20 15:39 /etc/shadow#cat /etc/shadowroot:/.57wLPQp2cV6:12650::::::rootlike:/.57wLPQp2cV6:12650::::::daemon:*:12650::::::bin:*:12650::::::sys:*:12650::::::adm:*:12650::::::uucp:*:12650::::::lp:*:12650::::::nuucp:*:12650::::::hpdb:*:12650::::::nobody:*:12650::::::www:*:12650::::::webadmin:*:12650::::::smbnull:*:12650::::::opc_op:*:12650::::::unidata:CuRdujgUu53qA:12650::::::

HP-UX UNIX SecurityHP-UX with TCB (Trusted Mode)What is TCB?

The Hewlett-Packard C2-level trusted system consists of the HP-UX operating system configured in trusted mode and its commands, utilities, and subsystems along with supported hardware. This results in a system designed to meet the criteria of a C2-level trusted system, as described in Section 2.2 of the Department of Defense Trusted Computer System Evaluation Criteria , DOD 5200.28-STD, December 1985, and the E3/FC2 security level as defined by the Information Technology Security Evaluation Criteria (ITSEC) established by the European Community.

HP-UX UNIX Security

HP-UX with TCB (Trusted Mode) Why is TCB better than un-trusted system or

shadow password system? Provides more stringent password authentication

and system auditing Terminal access control Time-base access controls

HP-UX UNIX Security

HP-UX with TCB (Trusted Mode) How is it implemented?

An understanding of the trusted system structure A lot of planning Train support personnel Run SAM to run conversion to TCB Be prepared initially for questions/problems

HP-UX UNIX SecurityHP-UX with TCB (Trusted Mode)Encrypted password is moved and replaced with an “*”#cat /etc/passwd (after conversion to trusted system)root:*:0:3::/:/sbin/kshdaemon:*:1:5::/:/sbin/shbin:*:2:2::/usr/bin:/sbin/shsys:*:3:3::/:adm:*:4:4::/var/adm:/sbin/shuucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucicolp:*:9:7::/var/spool/lp:/sbin/shnuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucicohpdb:*:27:1:ALLBASE:/:/sbin/shwww:*:30:1::/:webadmin:*:40:1::/usr/obam/server/nologindir:/usr/bin/falsesmbnull:*:103:103:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/shopc_op:*:777:77:OpC default operator:/home/opc_op:/usr/bin/kshtftp:*:510:8:Trivial FTP user:/usr/tftpdir:/usr/bin/falsensmail:*:110:101:NetScape Mail,,,:/home/nsmail:/usr/bin/shmailsrv:*:102:101:Netscape Mail Server,,,:/home/mailsrv:/usr/bin/shunidata:*:204:200:unidata user:/home/unidata:/usr/bin/ksh

HP-UX UNIX SecurityHP-UX with TCB (Trusted Mode)#ls -ld /tcbdr-xr-x--x 3 root sys 96 Apr 29 13:36 /tcb#ls -ld /tcb/filesdrwxrwx--x 3 root sys 96 Apr 29 13:36 /tcb/files#ls -ld /tcb/files/authdrwxrwx--x 55 root sys 1024 Apr 29 13:36 tcb/files/auth#cd /tcb/files/auth# lsA G M S Y e k q vB H N T Z f l r wC I O U a g m s xD J P V b h n system yE K Q W c i o t zF L R X d j p u#ls –ld /tcb/files/auth/udrwxrwx--- 2 root sys 96 Aug 20 21:30 u

HP-UX UNIX SecurityHP-UX with TCB (Trusted Mode)#cd u#ls -latotal 8drwxrwx--- 2 root sys 96 Aug 20 21:30 .drwxrwx--x 55 root sys 1024 Apr 29 13:36 ..-rw-rw-r-- 1 root root 210 Aug 20 21:30 unidata-rw-rw-r-- 1 root root 151 Apr 29 13:36 ursetta-rw-rw-r-- 1 root root 126 Apr 29 13:36 uucp#cat unidataunidata:u_name=unidata:u_id#204:\ :u_pwd=P36658YzF7/z6:\ :u_auditid#22:\ :u_auditflag#1:\:u_pswduser=unidata:u_suclog#1083267371:u_unsuclog#1093059008:u_unsuctt

y=pts/ta:\ :u_numunsuclog#6:u_lock@:chkent:

HP-UX UNIX Security HP-UX & PAM/NTLM

What is PAM? The pluggable authentication module (PAM) framework provides the ability

to incorporate multiple authentication mechanisms into an existing system through the use of pluggable modules. The PAM framework consists of a library, pluggable modules, and a configuration file. “Out-of-the-box” HP-UX PAM is set of perform UNIX authentication, however other types can be plugged in, for example, NTLM and Kerberos 5, used by Windows Active Directory.

Concept authenticate UNIX logins against Windows Active Directory, not the

UNIX password files

HP-UX UNIX Security• HP-UX & PAM/NTLM

• What are the prerequisites?• CIFS/9000(Samba) must be:

• installed• running in Domain Authentication mode• UNIX server must have joined the Domain

• UNIX /etc/passwd file still has to exist and new users created on UNIX server

• This depends upon combinations of sufficient vs. required

• How is it implemented?• Replace and configure /etc/pam.conf file

HP-UX UNIX SecurityHP-UX & PAM/NTLM

Sample /etc/pam.conf# cat /etc/pam.conf## PAM Configuration## Account Management#dtaction account required /usr/lib/security/libpam_unix.1dtlogin account required /usr/lib/security/libpam_unix.1ftp account required /usr/lib/security/libpam_unix.1login account sufficient /usr/lib/security/libpam_ntlm.1login account required /usr/lib/security/libpam_unix.1su account required /usr/lib/security/libpam_unix.1OTHER account required /usr/lib/security/libpam_unix.1## Authentication Management#dtaction auth required /usr/lib/security/libpam_unix.1dtlogin auth required /usr/lib/security/libpam_unix.1ftp auth required /usr/lib/security/libpam_ntlm.1

HP-UX UNIX Securitylogin auth sufficient /usr/lib/security/libpam_ntlm.1login auth required /usr/lib/security/libpam_unix.1 try_first_passsu auth required /usr/lib/security/libpam_unix.1OTHER auth required /usr/lib/security/libpam_unix.1## Password Management#dtaction password required /usr/lib/security/libpam_unix.1dtlogin password required /usr/lib/security/libpam_unix.1login password sufficient /usr/lib/security/libpam_ntlm.1login password required /usr/lib/security/libpam_unix.1passwd password required /usr/lib/security/libpam_unix.1OTHER password required /usr/lib/security/libpam_unix.1## Session Management#dtaction session required /usr/lib/security/libpam_unix.1dtlogin session required /usr/lib/security/libpam_unix.1login session required /usr/lib/security/libpam_unix.1OTHER session required /usr/lib/security/libpam_unix.1#

HP-UX UNIX Security

HP-UX & TCB & PAM/NTLM Concept

authenticate user against Windows Active Directory while having the UNIX passwords in a secure location

Implementation This is combination of two previously discussed

methods

HP-UX UNIX File Sharing

SAMBA

What is it?Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Samba is software that can be run on a platform other than Microsoft Windows that allows the host to interact with a Microsoft Windows client or server as if it is a Windows file and print server.


CIFS/9000 What is it?

CIFS/9000 provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols. CIFS/9000 implements both the server and client components of the CIFS protocol on HP-UX.

The current CIFS/9000 Server (version A.01.08) is based on the well-established open-source software Samba, version 2.2.3a, and provides file and print services to CIFS clients including Windows NT, XP, 2000 and HP-UX machines running CIFS/9000 Client software.


CIFS/9000 What is CIFS/9000 used for in ExcaliburEDGE

software? Its main function in ExcaliburEDGE is to allow a Windows-

based PC to map a network drive to a directory structure on a UNIX server

It allows the Windows user the ability “drag ’n’ drop” files to and from the UNIX server to previously configured locations


CIFS/9000 How is it implemented?

Preloaded on all new HP servers Can be installed from a HP supplied depot file May require HP-UX patches before installation

HP-UX UNIX File Sharing CIFS/9000

Considerations Authentication options

Domain User Share

HP-UX user ids ids same as Windows ids different than Windows

Sharing Define UNIX directories to be shared

Permissions Read only Write


CIFS/9000 Configuration

smb.conf man smb.conf

HP-UX server joins the Domain man smbpasswd

Use PCs use Windows Explorer to map drives to shares on

UNIX server

HP-UX UNIX File SharingCIFS/9000Sample /etc/opt/samba/smb.conf# Samba config file created using SWAT# from 172.16.7.17 (172.16.7.17)# Date: 2003/06/18 15:01:33# Global parameters[global] workgroup = EAED1 netbios name = HELIOS security = DOMAIN encrypt passwords = Yes password server = devnt2 username map = /etc/opt/samba/usermap.txt printcap name = /var/opt/samba/printers local master = No wins server = 172.16.10.60 guest account = ftp[printers] path = /var/spool/lp/public guest ok = Yes printable = Yes

HP-UX UNIX File SharingCIFS/9000Sample /etc/opt/samba/smb.conf (continued) [homes] comment = Home Directories path = /home/%S writeable = Yes create mask = 0775[tmp] comment = /tmp on helios path = /tmp writeable = Yes create mask = 0775 guest ok = Yes

HP-UX UNIX File SharingSample /etc/opt/samba/smb.conf (continued) [hold] comment = /sb/SB.EXC/_HOLD_ on helios path = /sb/SB.EXC/_HOLD_ writeable = Yes create mask = 0775 guest ok = Yes[GVMI_UPLOAD] comment = /sb/SB.EXC/data/GL/GVMI_UPLOAD on helios path = /sb/SB.EXC/data/GL/GVMI_UPLOAD writeable = Yes create mask = 0775 guest ok = Yes [alltests] comment = /sb/SB.EXC/data/EDI/alltests path = /sb/SB.EXC/data/EDI/alltests writeable = Yes create mask = 0775


Setups User Group Menus


• Default (as delivered by IBM)• Authentication against the SB+ security files• Password is validated against the SB+ encrypted

password• No password composition rules are in effect• Null password is allowed


• SB Supplied• SB+ password validation can be turned by STS staff• It will enforce the following rules:

1-Password that contains a sequence of letters or numbers of 3 or more, such as ABC, or 123.

2-Password that contains repetitive characters of 3 or more, such as using the same letter 3 times in a row, like AAA.

3-Password can not contain comma.4-Password can not be one of the last 10 password used.5-Password can not be all numeric.6-Password can not be null.7-Password can not be the same as the user id.8-Password must be between 4-50 characters.


Custom SB Supplied rules + custom programming

Lock account after a user defined number of unsuccessful tries

Custom programming More stringent password composition rules Plus rules 1-4 of the 8 SB supplied rules

REFERENCESAdministering Your HP-UX Trusted Systemhttp://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90121/B2355-

90121_top.html&con=/hpux/onlinedocs/B2355-90121/00/00/7-con.html&toc=/hpux/onlinedocs/B2355-90121/00/00/7-toc.html&searchterms=tcb&queryid=20040823-165133

SAMBAhttp://us1.samba.org/samba/

CIFS/9000 http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B8725-90021/B8725-

90021_top.html&con=/hpux/onlinedocs/B8725-90021/00/00/3-con.html&toc=/hpux/onlinedocs/B8725-90021/00/00/3-toc.html&searchterms=CIFS/9000&queryid=20040827-082019

forum topics hp-ux unix security sharing files in hp-ux unix with windows excaliburedge password...

Documents

hpux unix security lp

shadow passwords hpux

untrusted mode hpux

etcpasswd slide

hpux servers concept

secure requirements

etcpasswd file slide

usrbinksh slide