| CMW+ 3.0.1 Installation Cover Letter (cmw435c.doc) v1.0 The purpose of this document is to describe how to install and configure your system so that it will match the configuration submitted for evaluation at ITSEC security level F-B1/E3. 1. Hardware Platform There are three different hardware platforms submitted for evaluation: * Unisys SMP 5400 * Elonex PC590/1 * Elonex PC571/1 2. Software * SCO CMW+ 3.0.1 * SLS cmw002a * SLS cmw003a * SLS cmw435c * SLS cmw489b For the Unisys SMP 5400, you will also need: * SCO MPX for CMW+ * SCO AHS 3.4 Multiprocessing Drivers * Adaptec 7800 Manager Set v1.20 * Cogent SCO UNIX ODT 3.0 Driver for EM727, EM932, EM935 and EM845 For the Elonex PC590/1, you will also need: * SCO MPX for CMW+ * SCO AHS 3.4 Multiprocessing Drivers * Adaptec 7800 Manager Set v1.20 For the Elonex PC571/1, you will also need: * Symbios Logic SDMS 3.0 BTLDPCI-3.04.00 3. Verifying Software Authenticity Your CMW+ 3.0.1 software and manuals will have been delivered to you individually shrink-wrapped. You should check when you receive them that the shrink-wrap is intact, and you should check for the presence of the Certificate of Licence and Authenticity, with the SCO hologram affixed. If either the software or manuals have been tampered with or you do not receive all of the media and manuals that you expected, then you should contact the supplier of the software before continuing the installation. To verify the authenticity of the additional software diskettes, you should contact your SCO support representative, who will provide you with a list of diskette names and checksums which you can use to check the authenticity of your diskette copies. The additional third-party driver diskette images are available for ftp from the following locations: ftp://ftp.sco.com/TLS/tls607adp.dd.Z (Adaptec 7800 Manager 1.20) ftp://ftp.sco.com/TLS/tls607cgn.dd.Z (Cogent network card drivers) ftp://ftp.sco.com/TLS/tls607smb.dd.Z (Symbios Logic BTLD 3.0.4) The procedure for creating diskettes from these images is described in the accompanying document on the ftp site: ftp://ftp.sco.com/TLS/tls607.ltr 4. Installation Procedure Before beginning installation, you should ensure that you have noted the documentation errata specified and referred to in section 12 of this document. You are advised to mark up your documentation set where changes are necessary. Note on Re-linking the Kernel: You will be asked if you wish to re-link the kernel several times during the installation procedure. It is not strictly necessary to re-link the kernel at each step, but you must ensure that, after the question has been asked, the kernel is re-linked at least once before the system is next rebooted. You can re-link the kernel manually by entering the following commands: cd /etc/conf/cf.d ./link_unix You should reply "yes" to the prompts asking whether to make this kernel boot by default, and whether to rebuild the kernel environment. Installation Instructions: Follow the installation procedure as described in chapter 2 of the SCO CMW+ Installation and Upgrade Guide, with the following additions: If you are installing from a SCSI tape device, first make sure that it is configured as SCSI device ID 2. If you are installing from a CD-ROM, first make sure that it is configured as SCSI device ID 5. If your system's BIOS supports power management, ensure that it is disabled before beginning installation. At step 4, type "link". At the prompt asking for the package name, enter "alad" for the Unisys SMP 5400 and Elonex PC590/1, or enter "bscam" for the Elonex PC571/1. When prompted, insert the appropriate BTLD diskette (Adaptec for "alad", Symbios Logic for "bscam"). Continue with step 5 in chapter 2. At step 8, follow the on-screen prompts. At the "Installation Setup" screen, choose "Overwrite" for your installation type. At the "Software Setup" screen, deselect the NFS package from "Optional Components". At step 15, you will be asked for mail subsystem configuration information. Follow the on-screen prompts. At step 17, for the Elonex PC575/1, you may see the message "Cannot create /usr/tmp/buffer" displayed; this message is harmless and should be ignored. At step 23, invoke "custom" to begin installation of the supplementary diskettes (the operation of custom is described in Appendix H of the Installation Guide). By selecting "Install", "A New Product", install each of the following diskettes in turn: * SCO CMW+ Maintenance Supplement 1: these diskettes are included in the CMW+ box. * MPX for CMW+ disk (if necessary): when prompted, enter your MPX serial number and activation key. It is not necessary to install the Open Desktop version of MPX on this system. * SCO AHS 3.4 Multiprocessing Drivers (if necessary): you should select only the "APIC" driver. At this point, the kernel should be rebuilt - you should answer "yes" to the prompts asking whether the new kernel should boot by default, and whether to rebuild the kernel environment. You then should reboot the system to use the new kernel by ending "custom", and typing the command "reboot" - remove any diskette that may still be in the drive. At the single user mode prompt, enter the "root" user name and password to re-enter system maintenance mode. At this point, you should set the system time, and reset the root password, in order to avoid a problem with the password change time previously being set incorrectly (if you do not do this, you may experience problems when you first enter multi-user mode). First you will need to remove the last successful password change time from root's protected password entry - edit the file /tcb/files/auth/r/root, and remove the text beginning "u_succhg#" and finishing at the first following ":". For example, if the relevant line in the file had been: :u_minchg#0:u_succhg#833382840:u_unsucchg#833381773:u_pickpw:\ you should change it to: :u_minchg#0:u_unsucchg#833381773:u_pickpw:\ To set the system time and reset the password, enter the following commands, and follow the on-screen prompts: /etc/asktime /tcb/lib/passwd Invoke custom again, and using "Add a New Product" install the following diskettes, in this order: * SCO CMW+ File System SLS (cmw002a) * SCO CMW+ PPP SLS (cmw003a) * SCO CMW+ ITSEC Evaluation SLS (cmw435c) * SCO CMW+ Year 2000 SLS (cmw489b) At this stage, for the Unisys SMP 5400, you should also install the network card driver from the Cogent EISA Ethernet Drivers diskette. Choose the "Packages" option, rather than "Entire Product", and select the "emC" (EM935) driver. Continue with step 24 in chapter 2 of the Installation Guide. At step 25, for the Elonex PC590/1 and PC571/1, select the "nat" (NE2000) network driver. At step 31, run "mkdev graphics" directly. For the Unisys SMP 5400 only, select the Cirrus Logic GD5424 controller. For the Elonex PC590/1 and PC571/1, select the Tseng Labs ET4000 controller. You should ensure that the kernel has been re-linked, and then reboot the system, before attempting to enter multi-user mode (step 32). 5. Additional Configuration On-line Manual Pages As shipped, the configuration file for the man(C) command does not display manual pages in the documented order. To correct this, make the following changes by editing the file /etc/default/man: Change the line beginning MODE= to read: MODE=ALL Change the line beginning ORDER= to read: ORDER=C:c:1:S:s:2:3:CP:CT:5:M:m:1m:7:F:f:HW:hw:DOS:TC:tc:ADM:adm: ADMN:admn:X:1X:x:XS:3X:3x:SFF:sff:4:STR:str:MP:mp:UCB:LOCAL (note that the above should be entered as a single line, although it is shown here as two lines.) Printer Paper Size To correctly support the A4 paper size for labelling when using the hpjet3 interface script, you should make the following change to the file /usr/spool/lp/admins/lp/interfaces/printer, where printer is the name of the printer you have previously configured: After each occurrence of the character string \033E insert the character string \033&l26A (note the letter 'l', not the digit '1', above) This character string should occur three times in the file. Note that if you are using the USA standard paper size, you should not make this change. Protecting telnet and ftp Passwords In order to disallow clear-text passwords with both telnet and ftp, you should ensure that the entries for both telnetd and ftpd in the file /etc/inetd.conf do not give the argument "-c". The shipped configuration file includes the -c flag for telnetd, so you should edit /etc/inetd.conf to remove it from that line. Disabling the rlogin Command To avoid the danger of possible snooping of passwords from network packets, you should disable the rlogin service. This is done by inserting a '#' (comment) character in the file /etc/inetd.conf, at the start of the line beginning "m6login". Other Network Services No other changes should be made to the supplied /etc/inetd.conf file; in particular, you should not uncomment the lines which would enable UDP services. Note that, as specified in Chapter 4 of Administering Network Services in the SCO CMW+ System Administrator's Guide, the BIND name service, named(ADMN), is not supported and should not be enabled. Changing Home Directory for Pseudo-Users As shipped, the home directory settings for the pseudo-users dos and asg can expose the system to a security vulnerability. To correct this, carefully edit the file /etc/passwd (modifying this file incorrectly can result in locking out the system) to make the following changes: On the line beginning "dos:", delete the 3 characters "tmp" from before the end of the line: dos:*:16:11:DOS device:/: On the line beginning "asg:", delete the 7 characters "usr/tmp" from before the end of the line: asg:*:8:8:Assignable devices:/: Initialising Audit Parameters You should initialise the audit parameter files before enabling auditing for the first time. This is done by executing the following command as root: mkaud -p -s You should also set the default action for when auditing fills available disk space to shut down the system. This parameter may be changed using the Security Officer interface menu Audit, Maintenance, Modify Audit Parameters. Removing Account Locked Notification To avoid the risk of an intruder using the account locked notification in order to verify a guessed password despite the maximum number of failed logins already having been attempted, you should edit the file /usr/lib/X11/errors/XAuthMgr/AuthErrors. Locate each of the following paragraphs of text: The account is locked due to an excessive number of unsuccessful login attempts. Please contact your site security officer. The terminal is locked due to an excessive number of unsuccessful login attempts. Please contact your site security officer. The host is locked due to an excessive number of unsuccessful login attempts. Please contact your site security officer. Each of these paragraphs in turn should be replaced with the single line: Login incorrect - please try again Additional sendmail Configuration Locate the following text in the file /usr/lib/sendmail.cf: # default UID (bin) Ou2 # default GID (mail) Og7 This text should be changed to: # default UID (nouser) Ou28 # default GID (nouser) Og28 Disabling mscreen mscreen is not functional on CMW+, but it is installed with the set-user-id attribute. To remove the risk of this being used to compromise system security, disable it by executing the following command as root: chmod 0 /usr/bin/mscreen Information Labels Note that your system, when installed as described in this cover letter, will have display of information labels disabled by default. This is the configuration of the system as evaluated. If you should choose to enable information labels (see p224 of the Trusted Facility Manual), the enforcement of MAC labels will still be in effect, but the window manager will display both the MAC label and the information label. As display of information labels was not included in the evaluation, and due to the potential confusion between MAC labels and information labels, it is recommended that you not enable this. Avoiding Use of Unsecured Utilities Chapter 13 of the SCO CMW+ Release Notes lists a number of system utilities which have not been modified specifically for CMW+. Commands marked 3 will in general work on CMW+, but do not support use with CMW+ specific extensions, such as sensitivity labels, file privileges and multi-level directories. Commands marked 5 will in general not work reliably on CMW+. To ensure that the integrity of your system is not compromised, you should avoid use of both these categories of commands. Security-unaware Commands (3) S51K, S52K, XENIX You should inform sysadmin-authorised users to not select these file system types when creating new file systems (note that S52K is not included in this release in any case), as they do not support extended security attributes. backup, restore These commands do not pose any risk to system integrity when run by unprivileged users; however, you should ensure that privileged users are aware that these commands should not be used for routine system backups, as the security attributes of files will not be preserved. btldinstall This command is not accessible to unprivileged users. It could be used by privileged users, but note that it will make changes to the kernel which are likely to render your system incompatible with the configuration submitted for evaluation. clean_screen This command fails to operate on CMW+. cleantmp Although this command will work on CMW+, note that it is not multilevel-directory aware, and so will only remove temporary files at the sensitivity level at which it is started. The invocation of cleantmp from the root crontab has been disabled in CMW+. ecc, eccd These utilities are not supported on CMW+. Note that they are disabled by default - you should not enable them with mkdev eccd. frec This utility does not recognise extended format file system images, and therefore will fail to extract files from a volcopy(ADM) image made from your system (only extended format file systems should have been on your system, see S51K, etc. above). The only way to recover files from the volcopy image is to copy the entire image back to a mountable file system. fsname This utility does not recognise extended format file system images, and thus will fail to display or set volume names on your system, which will have only extended format file systems (see S51K, etc. above). install This command may be used as documented, but note that it is not capable of setting extended security attributes on files. layers Use of the layers(C) command is not supported on CMW+. Note that the command will fail unless layers has previously been configured. You should not configure layers (mkdev layers) on your system. listen This utility (/usr/net/nls/listen) fails to operate on CMW+. logger This utility (/etc/logger) is not supported on CMW+. It is only executable by privileged users, and should not be invoked. mscreen mscreen is not supported on CMW+. Since serial terminals are not included in the evaluated configuration, it is not operative in any case. passmgmt This NIS utility is not included in CMW+. pt_chmod Note that SLS cmw435c includes a fixed version of pt_chmod, so that it can be used without risk of compromising system integrity. sysadmin This utility is not included in CMW+. uucp The UUCP suite of programs is not included in CMW+. win This command is a front-end to the dos DOS-Merge command, and is subject to the same restrictions on use (see section 6 below). finger, fingerd The finger(C) command is only supported on the local machine; incoming finger requests are rejected, as the fingerd daemon is not configured by default on CMW+. gettable, htable, whois These commands are inoperative on CMW+, as no nicname server is provided. logger, syslogd Use of /usr/bin/logger and /etc/syslogd is not supported in the evaluated configuration. Note that syslogd(ADMN) is not started by default, and therefore logger(TC) is ineffective. mkhosts mkhosts(ADMN) has not been enhanced to check for authorisations or raise privileges, so it must be run by a privileged user such as root in order to run successfully. named, rarpd, rexecd, routed, talkd, timed, uucpd These network daemons are not supported on CMW+ and should not be enabled in /etc/inetd.conf. ntp ntp utilities are not included in CMW+. rmail As UUCP is not supported on CMW+, the rmail(ADM) command is not functional. ruptime As rwhod is not included in CMW+, this command is not functional. rwho, rwhod These utilities are not included in CMW+. slattach SLIP is not supported on CMW+, so the slattach(ADMN) command will fail. talk As talkd is not started by default in CMW+, this command is not functional. Unsupported Commands (5) ale, ap, authckrc, authsh, chg_audit, cps, execbprg, fixmog, goodpw, passwdupd, pwconv, pwunconv, relax, report.expire, report.login, report.term, rmuser, sddate, smmck, tcbck, ttys_update, ttyupd, unretire, useshell, zeroexit These OpenServer utilities are not present on CMW+. rmnttry, rmount, rumount These utilities can only be run by root. As RFS remote file sharing is not supported on CMW+, these utilities are obsolete and should not be used. sulogin This utility cannot be run by unprivileged users. It is not used on CMW+, and as noted on the manual page, sulogin(ADM), it should not be directly invoked in any case. pppd Note that SLS cmw003a includes an enhanced version of pppd, which operates correctly on CMW+. 6. Additional Notes on Creating Users All users of the system should each have a new account created for them. When creating a user account, do not reuse any of the account names or user id numbers that are already assigned by the system (the System Administrator interface will show a warning if you attempt to do this). Normally, users will not be allocated more than one account each and no user will have have more than one account per workstation. If, for operational reasons, it is necessary for a user to have more than one account, the system administrator will brief that user as to the correct usage of that account in accordance with their organisation's security policy. When creating a user account, do not assign that user to any of the groups which are already defined on the system as shipped, except the group "group". You may create new groups to include your users in as you wish. When creating a new group, do not use any of the group id numbers that are already in use (the System Administrator interface will show a warning if you attempt to do this). When unlocking a newly-created account, you should set that user's password parameters using the Security Officer interface. You should select either that the user will be assigned system-generated passwords, or that the user may choose their own password. If you allow the user to choose their own password, you should also select the "Perform triviality checks" option. When modifying user account parameters, you should not disable the "Maximum number of unsuccessful logins" field in the login controls. Note that, as access to the DOS Merge facility is not part of the evaluated configuration, you should not assign the "dos" command authorisation to untrusted users. Finally, note that when a user account is retired, that user may still have batch jobs enabled (see the manual pages for the commands at and cron). These batch jobs should be deleted manually. 7. Configuring Remote Hosts Enable network communications between your systems by setting up the security parameters for each pair of communicating hosts, as documented in the MaxSix Administrators Guide, chapter 2. Do not include any unlabelled hosts (as described in chapter 3) on your network. Note that, in order to unlock the automatically configured host entries for "localhost" and the entry for the name you chose for your system, you must first have selected the corresponding entry or entries in the remote hosts database in the Network Security Officer Role program, and chosen "Add" to update the host's entries in the terminal control database. For each user that you wish to be able to execute the rcmd utility, you should create a .rhosts file (see the rhosts(SFF) manual page) in that user's home directory on each remote system, including entries specifying only that user's user name, together with the name of each of the systems from which they will be executing the rcmd utility. You should not make use of system-wide settings in the /etc/hosts.equiv file unless you also ensure that each of the systems you have enabled communications between will have identical sets of user names and ids. 8. Modifying the Standard Encodings File In certain cases, you may find it necessary to modify your Encodings file to change the classifications and compartments which are considered valid on your system. Modifying the Encodings file after initial system boot is not recommended. If it is considered necessary to make such a modification, it should be done as soon as possible to avoid the potential loss of information. Changing the Encodings file is an involved procedure. If you do not carefully follow the instructions listed below, you may leave the system in a state where it can not boot. If you need more information on the basic concepts and structure of the Encodings file, you should refer to the document entitled Defense Intelligence Agency Compartmented Mode Workstation Labeling: Encodings Format. This document is available from the Defense Intelligence Agency to qualified recipients. Precautions A major consideration when preparing to replace the Encodings file is files that currently exist on the system. The only sensitivity labels that will be the same before and after the change are syslo and syshi. You should note that the actual meaning of syslo and syshi may change with the Encodings file. If files exist on the system at any other sensitivity levels, they may be inaccessible after the change. You should reset the sensitivity label of these files to syslo or syshi before attempting to change the Encodings file. Similar consideration should be given to any multilevel directories that exist on the system. Note that the only child directories that will be accessible after an Encodings file change are those that map to syslo and syshi. You should carefully check all multilevel directories and move any files in such child directories to a safe location. You should also remove the child directories as a matter of general cleanup. If your system is running on a network with other trusted systems, additional consideration must be given to the affect on the network. The MaxSix databases on the target machine must be modified to correctly reflect the new Encodings file. Additionally, the mappings file /tcb/files/M6MAPPINGS residing on each additional trusted system that networks with your system will need to be modified to account for the new Encodings file. A final consideration is the Audit subsystem. You should note that any previous audit trails will be unusable after a modification to the Encodings file. Additionally, previously created report selection files may be unusable as well. Installing an Encodings File To install the new Encodings file: Step 1: From the Audit Menu of the ISSO Role Program on the Trusted Path, disable auditing. Step 2: Bring the system down to single-user mode by selecting Single User Mode from the Trusted Path Menu. Move the existing Encodings database and file to a safe place. % cd /etc/policy/macilb % mv Encodings.db Encodings.db.safe % mv Encodings Encodings.safe Note that the ASCII version of the Encodings file may not exist on your system. Step 3: Make a safe copy of the configuration file: % cp config config.safe Step 4: Load the new ASCII Encodings file in /etc/policy/macilb/Encodings. Step 5: Edit /etc/policy/macilb/config to reflect the new Encodings file. The first line after the comments should be modified to match the classifications, compartments, and markings in the Encodings file. The third number should be set to the highest "value" + 1 for Classifications. The fourth number should be set to the highest "compartment" + 1, and the fifth number should be set to the highest "marking" + 1. Take, for example, this segment of an Encodings file: CLASSIFICATIONS: name=UNCLASSIFIED; sname=U; value=1; name=CONFIDENTIAL; sname=C; value=2; name=SECRET; sname=S; value=4; name=TOP SECRET; sname=TS; value=5; INFORMATION LABELS: WORDS: name=REL; prefix; name=LIMDIS; sname=LD; suffix; name=ORCON; sname=OC; prefix; name=eyes only; sname=eo; suffix; name=nato; minclass=C; compartments=1; name=alfa; minclass=C; compartments=2; name=siop; minclass=C; compartments=3; name=ultra; sname=ul; minclass=C; compartments=5; name=sac; minclass=S; compartments=7; name=trident; sname=tr; minclass=S; compartments=8; name=UK; markings=0; prefix=REL; name=Canada; sname=can; markings=1; prefix=REL; name=proj1; minclass=C; markings=14; suffix=LIMDIS; name=proj2; minclass=C; markings=6; suffix=LIMDIS; name=comp1; sname=c1; minclass=C; markings=9; prefix=ORCON; name=comp2; sname=c2; minclass=C; markings=15; prefix=ORCON; name=ceo; markings=8; suffix=EO; name=vp; markings=10; suffix=EO; The highest classification "value" shown is 5, therefore the number used would be 6. The highest "compartment" listed is 8, so the number used would be 9. The highest numbered "marking" is 15, which would make the number used 16. The resultant config file would appear as: /tcb/files/MACILBDBASE 64 20 6 9 16 3 2 1 1 2 1 Note that it is not necessary that the value be the highest number incremented only by 1. Values can be the highest number incremented by any integer. Step 6: Convert the ASCII Encodings file to binary format using the labelcomp(1M) command: % /tcb/bin/labelcomp -o Encodings.db Encodings Step 7: Move the Mandatory Access Control policy tag database aside and create a new one: % cd /tcb/files % mv MACILBDBASE MACILBDBASE.old % mkdb MACILBDBASE 1024 50 Step 8: Reboot the system, and re-enter single-user mode. Step 9: Use the initauthdb(1M) command to re-initialise the System Default database and the u_clearance field in the protected password entry for root: % /tcb/lib/initauthdb Step 10: Modify the various security databases to replace references to invalid labels. These files include: /etc/auth/system/devassign /etc/auth/system/default /tcb/files/auth/*/* /usr/lib/X11/mand_appear Instructions for modifying the mand_appear file can be found in the chapter "Trusted Window System", section "Configuring Mandatory Appearance Parameters". Note that the designations syslo and syshi may be used. Step 11: In order for the changes to take affect, you must shutdown and reboot the system: % sync % reboot Step 12: Run setfiles(1M) to ensure the proper set of permissions and sensitivity labels on all files: % /tcb/bin/setfiles Step 13: Re-initialise the audit parameter files: % /tcb/bin/mkaud -a Updating the MaxSix Databases When the preceding instructions have been successfully completed, the Network Security Officer (NSO) will need to modify various MaxSix databases to reflect the new Encodings file. It is suggested that these steps be done while in single-user mode. The MaxSix interface control database, /tcb/files/M6IDB should be examined to see if any of the interface entries specifically list a sensitivity label. In each entry, the four fields of interest are min_sl, max_sl, def_sl, and def_ilb. These fields should be modified to reflect valid sensitivity and information labels with regard to the new Encodings file. Note that syslo and syshi are valid labels. Refer to the M6IDB(4) manual page for more information on this file. All entries of the MaxSix remote host database, /tcb/files/M6RHDB should be checked to see if the fields min_sl, max_sl, and def_sl refer to valid sensitivity labels with regard to the new Encodings file. Note that syslo and syshi are valid labels. Refer to the M6RHDB(4) manual page for more information on this file. The MaxSix translation rules, /tcb/files/M6MAPPINGS will also need to be modified to correctly translate to and from the sensitivity labels as determined by the new Encodings file. Note that once the M6MAPPINGS file has been modified, the m6parser(1M) program should be run to compile it into its binary form, /tcb/files/M6BINMAP. Note that changes to the M6MAPPINGS file may need to be made to the other trusted systems on the network if they wish to properly communicate with your system. Please see the chapter entitled "Advanced Administration" in the MaxSix Administrator's Guide for details. When all the MaxSix databases have been successfully modified to reflect the new Encodings file, the system should be rebooted. Even if none of the MaxSix databases needs to be modified, you must run m6parser(1M) if the /etc/policy/macilb/config file has been altered. 9. Use of the root Account When you have completed the installation process, and created privileged accounts with access to the ISSO, SysAdmin and NSOI role programs, you will no longer need to use the root account in normal operation. You should note, however, that the root account may still be necessary in order to log in to the system if security databases become corrupted. For this reason, you should change the root password to an obscure setting (a system generated password of at least 10 characters is recommended), and keep a note of the password in a secure place, so that it can be used if your system becomes otherwise inaccessible (this could occur due to power failure or hardware failure). 10. Maintaining System Security Following the initial configuration of your system, you should continue to run periodic checks on the access controls for remote hosts - it is possible for users to add their own .rhosts files which may allow access from untrusted hosts. To check for the presence of these files, you should run the following command from an account with allowdacread and allowmacread privileges: find / -name .rhosts -print You should check the contents of these files to verify that they do not violate your site's security policy. Note that the m6dbinteg(1M) command will also perform automatic checks on many aspects of remote hosts configuration, including .rhosts files - you may wish to set up a cron job to automatically execute this command on a regular basis and mail the output to a responsible person. 11. Advice on Setting or Changing Passwords of Other Users In this section, "administrator" refers to the ISSO or another user with the "password" command authorisation: The administrator is responsible for generating and assigning the initial password for each user. In addition, a user may forget their password or the administrator may determine that a user's password may have been compromised. To be able to correct these problems, the administrator may also change the password of any user by generating a new one. The administrator does not have to know the user's existing password in order to do this. Positive identification of the user should be sought by the administrator when a forgotten password must be replaced. When a user's password has been set or changed by the administrator, the user is identified by the system as having an "expired password" which will require the user to change the password by the usual procedure before receiving authorisation to access the system. If the user is not physically present when their password is set or changed by the administrator, the new password must be communicated to the user by a secure means. Conveyance of passwords through third parties or through unprotected electronic mail messages should be avoided. The administrator should seek confirmation from the user of receipt of the password within a reasonable time. 12. Documentation Notes Open Desktop/Open Server Documentation The SCO CMW+ package includes some printed and on-line documentation that refers to SCO Open Desktop or Open Server. Whilst the majority of that documentation is applicable to SCO CMW+, you should be aware that in some cases information is superseded by SCO CMW+ specific documentation. Where topics are present in both, the CMW+ document always takes precedence. Online Manual Pages The ftp manual page security addendum, ftp(c), indicates that ACLs are preserved; this is incorrect. The correct behaviour is documented in the Security Features User's Guide, page 175. Documentation Errata The SCO CMW+ Release Notes list additional documentation errata on pages 78, 102 and 155-156. User Documentation Errata for the Security Features User's Guide is presented in Appendix A. You may wish to provide that appendix separately to your users. Administrator Documentation Release Notes Pages 30-32: Disregard references to the on-line document Features and Limitations; this document is not provided with, and is not applicable to, SCO CMW+. Installation and Upgrade Guide Page 26, step 25: Disregard the text from "You should also configure �" to the end of this step. Page 27, step 34: Replace the text "XIsso" with "XSysAdmin". Note that the relevant page of the Trusted Facility Manual is page 47. Page 41: Replace the text "return to step 13 ... (page 24)" with "return to step 18 ... (page 25)". Page 58: Replace the text "step 14" with "step 32". Page 89: Add the following step: 9. Exit sysadmsh by pressing to return to the main menu, selecting Quit, and then confirming your selection. System Administrator's Guide Page 53: Replace the text "as though you entered a to the boot prompt" with "as though you typed the default boot string, adding the keyword auto". Note that when autobooting, the system will proceed directly to multi-user mode, rather than entering system maintenance mode first. Trusted Facility Manual Pages 123-125: The event type names given in the text do not precisely match those shown on the screen. Replace "Startup/Shutdown" with "Startup/Shutdown activity". Replace "User Login/Logout" with "Login/Logoff Activity". Replace "Process Start/Stop" with "Process creation/deletion activity". Replace "Object Allocation" with "Make object available". Replace "Object Mapping" with "Map object to subject". Replace "Object Modification" with "Modify object". Replace "Object Deallocation" with "Make object unavailable". Replace "DAC Modification" with "Discretionary access change". Replace "Admin Actions" with "System administrator activity". Replace "IPC Communication" with "Inter-process communication". Replace "Process Modification" with "Modify process". Replace "Audit Changes" with "Audit subsystem activity". Replace "Subsystem Changes" with "Privileged subsystem activity". Replace "Privilege Use" with "Use of privilege". Replace "Authorization Use" with "Use of authorization". Replace "Label Changes" with "Set policy label". Replace "X Window Events" with "Window system activity". Page 124: In the paragraph previously headed "Admin Actions", replace the text "or Operator" with "Network Security Officer or Operator". Page 125: Add to the paragraph previously headed "Label Changes": "This event type also includes changes to access control lists, clearances and information labels." Trusted Facility Administrator's Reference Manual Page 113 auth: Note that the auth command authorisation implies the password command authorisation. Page 119 lp: Note that the lp command authorisation implies the printerstat command authorisation. MaxSix Administrator's Guide Page 32: Disregard the text "except the indirect flag" - this flag is not present in this release. Page 133: Disregard the -v option on the ping command. Appendix A. Security Features User's Guide - Errata Page 7: Note that the administrator may have set a minimum password change time on your account, which could prevent you from completing the password change successfully. If this occurs, you will need to contact your system administrator to have the minimum password change time reset. Page 11: Note that the administrator may have set an inactivity timeout for your system. If this is the case, your user session will be automatically locked or terminated if you leave your session idle (i.e. without keyboard or mouse input) for the administrator-specified time. The inactivity timeout is not initiated until the login sequence has completed, when the security stripe will be shown at the bottom of the screen. Page 67: After the text "To set a file's set-group-ID bit when the file is group executable," add "you must have the chmodsugid base privilege and". Page 83: At the end of the mandatory write access paragraph, add "In addition, with the default privilege set (which includes the writeup privilege), a process can write to a file if the process's sensitivity label is dominated by the object's." Page 83 diagram: The text in the grey oval should read "Confidential". Page 88 table: The first item in the Relationship column should read "A Dominates B". Page 109: The grey ovals should be filled with the following text - from left to right: "Confidential Nato", "Secret", "Secret Alpha". Page 115 step 1: Add the text "then select Get/Set File Label from the File Operation options menu". Page 115 step 4: Replace the text "the following figure" with "the previous figure". Page 163: Disregard the paragraph labelled syshi - this authorisation is not present in this release. |
