Jun 1st notebook

Strong ES Model:::::: When Strong ES Model enabled, a system can not act as an IP router. And drops incoming IP packets with destination IP addresses that do not match the interface address. Outbound IP packets must use the interface address as the source IP address.

—————————————————————————————————————————–

SRP local compartment state can grep from the file::::::/var/opt/hpsrp/state/srpname

—————————————————————————————————————————–

To enable additional users for INIT compartment login:::::

>roleadm assign <usrname> SRPlogin-init

To enable additional groups for INIT compartment login::::::

>roleadm assign “&<group_name>” SRPlogin-init

—————————————————————————————————————————–

To allow additional users to use the srp_su command, following these steps::::::

• Create one new hpux.security.srp_su authorization per system:::authadm add hpux.security.srp_su
• Create a new role per SRP:::roleadm add newRole
• Assign the hpux.security.srp_su authorization to one role per SRP:::authadm assign newRole hpux.security.srp_su “srp_name”
• Assign a role to each user:::roleadm assign user_name newRole
  

Read Full Post »

inetd && xinetd

The services listed in the xinetd’s configuration file can be separated into two groups::::::

multi-threaded: require the forking of the new server process for new connection request. The new server then handles that connection. xinetd keeps listening for new requests so that it can spawn new servers.

single-threaded: the service daemon is responsible for handling all the incoming connection request. Incoming connection request is processed one after another.

xinetd is not limited to services listed in /etc/services, therefore anybody can use xinetd to start special purpose servers.

————————————————————————————————————————————

xinetd performs certain actions when it receive certain signals. The actions associated with the specific signals can be redefined by editing config.h and recompiling.

Default configuration file: /etc/xinetd.conf, /etc/xinet.d/

Read Full Post »

Apr 26th notebook — RBAC

Constrains that limit access to resources usually fit into 3 categories:

• Subject: The entity attempting to access the resource, under OS usually is a user or a process associated with a user
• Operation: An action performed on a resource, under OS usually is an application or a command — hpux.user.add
• Object: The target of the operation

———————————————————————————————————————————————————-

RBAC addresses these issues by grouping users with common authorization needs into roles.

Example operation after invoking privrun:::::

———————————————————————————————————————————————————-

Three steps to deploy RBAC::::::

1. Plan  roles for users
2. Plan authorizations for the roles
3. Plan the authorization to command mappings

Three steps to configure RBAC:::::::

1. Configure the roles::::::: roleadm to manage roles under HPUX, add/delete/modify/assign/revoke/list…
2. Configure the authorizations::::::: authadm to manage authorizations under HPUX, add/delete/assign/revoke/list…
3. Configure any additional commands:::::: cmdprivadm to edit a command’s authorization and privilege information, add/delete…

———————————————————————————————————————————————————-

RBAC can also use compartments to configure applications to run in a particular compartment.

Use only cmdprivadm command to configure compartments for commands, do not edit the /etc/rbac/cmd_priv directly, to update,

first delete the entry and then add the updated version back in.

Read Full Post »

Apr 23rd notebook — ADMIN

Compartment uses four kinds of configuration rules:

• file system rules
• IPC rules
• network rules
• miscellaneous rules

There are two kinds of rules: subject-centric or object-centric

Admins can use last command to read the file /var/adm/wtmp to check if any illegal user try to login

Admins can use who -u to list the currently logged on user



HPUX Authentication Modules Under PAM subsystem.

User could use passwd -l user to lock of forbid user.

Admin could use last -R to check abnormal super user log on.

Read Full Post »