| �
From: KAMLIA::beau "Jim Seagraves OSF/1 TPEG 14-Jan-1997 1415" 14-JAN-1997 14:15:43.75
To: MROA::Mgreenfield
CC:
Subj: more questions on Compuware
Mike-
1) Thinking about question 2 from compuware, the real question
is :
Is Compuware writing their security code with C2 compliance in
mind ?
If so then they have to use the APIs listed below, the default security
calls crypt(), etc. are not good enough.
2) I think I was distracted on the ocrypt question. Are the other
APIs listed in your mail/note posting 3.2 APIs. On V4.0 there
is no fg_newcrypt, or fg_crypt. Are these flags in a structure ?
3) Does Compuware have to be compatible with ULTRIX ? I know there
are different key lengths depending on what os.es you need to
interface with (in client/server env. app. for example).
thanks
Jim Seagraves
-----------------------------------------------------------------------------
------
--------- these are the "Enhanced Security APIs, and admin calls, etc.
-----------------------------------------------------------------------------
------
XIsso (8) - Windows interface for audit, default account
parameters, and device assignments (Enhanced Security)
XSysAdmin (8) - Windows interface for account administration
functions (Enhanced Security)
acceptable_password (3) - Determines if a password meets deduction
requirements (Enhanced Security)
auth_for_terminal_es (3) - determine whether a given user is authorized
for login on a given terminal (Enhanced Security)
authcap (4) - Format of security databases (Enhanced Security)
authck (8) - Checks internal consistency of the authentication
database (Enhanced Security)
convuser (8) - convert user profile information between BASE and
ENHANCED formats
create_file_securely (3) - Create a file in the authentication database
(Enhanced Security)
default (4) - System default database file (Enhanced Security)
devassign (4) - Device assignment database file (Enhanced Security)
discrypt (3) - encrypt a password, dispatching based on the
associated algorithm (Enhanced Security)
edauth (8) - update and list authcap database information
(Enhanced Security)
enter_quiet_zone, exit_quiet_zone (3) - Prevent keyboard interruption of
program actions (Enhanced Security)
escap_parse_fields, escap_print_fields, escap_cmp_fields, escap_copy_fields,
escap_size_data (3) - parser routines for authcap-style data (Enhanced
Security)
files (4) - File control database (Enhanced Security)
get_num_crypts, get_crypt_name (3) - determine the encryption types
available (Enhanced Security)
get_seed_es (3) - Obtain a drand48 seed value for an extended profile
(Enhanced Security)
getdvagent, getdvagnam, putdvagnam, copydvagent (3) - Manipulate device
assignment database entry (Enhanced Security)
getesdfent, getesdfnam, setprdfent, endprdfent, putesdfnam (3) - Manipulate
system default database entry (Enhanced Security)
getesdvent, getesdvnam, setdvagent, enddvagent, putesdvnam, copyesdvent (3) -
Manipulate device assignment database entry (Enhanced Security)
getesfient, getesfinam, setprfient, endprfient, putesfinam (3) - Manipulate
file control database entry (Enhanced Security)
getespwent, getespwuid, getespwnam, setprpwent, endprpwent, putespwnam (3) -
Manipulate protected password database entry (Enhanced Security)
getestcent, getestcnam, setprtcent, endprtcent, putestcnam (3) - Manipulate
terminal control database entry (Enhanced Security)
getluid, setluid (3) - Get or set the login UID (Enhanced Security)
getprdfent, getprdfnam, putprdfnam (3) - Manipulate system default database
entry (Enhanced Security)
getprfient, getprfinam, putprfinam (3) - Manipulate file control database
entry (Enhanced Security)
getprlpnam, putprlpnam (3) - Manipulate printer control database entry
(Enhanced Security)
getprpwent, getprpwuid, getprpwnam, putprpwnam (3) - Manipulate protected
password database entry (Enhanced Security)
getprtcent, getprtcnam, putprtcnam (3) - Manipulate terminal control
database entry (Enhanced Security)
initprivs (3) - Initializes privileges (Enhanced Security)
locked_out_es (3) - determine if password-management disallows user
login (Enhanced Security)
passlen (3) - Determines minimum password length (Enhanced
Security)
prpasswd, prpwd (4) - Protected password authentication database files
(Enhanced Security)
pw_nametoid, pw_idtoname, gr_nametoid, gr_idtoname (3) - Map between user
and group names and IDs (Enhanced Security)
randomword, randomchars, randomletters (3) - Generate random passwords
(Enhanced Security)
secauthmigrate (8) - Convert ULTRIX auth(5) authentication data to
authcap(4) authentication data (Enhanced Security)
secsetup (8) - Security features setup script (Enhanced Security)
starting_luid, starting_ruid, starting_euid, starting_rgid, starting_egid,
is_starting_luid, is_starting_ruid, is_starting_euid, is_starting_rgid,
is_starting_egid, set_auth_parameters, check_auth_parameters (3) - Get or
check user or group IDs (Enhanced Security)
sulogin (8) - single-user login program (Enhanced Security)
time_lock (3) - Check time-of-day locking (Enhanced Security)
time_lock_es (3) - Check time-of-day locking (Enhanced Security)
ttys (4) - Terminal control database file (Enhanced Security)
matrix.conf (4) - SIA (Security Integration Architecture)
configuration file
matrix.conf (4) - SIA (Security Integration Architecture)
configuration file
sia_audit (3) - Variable format interface for audgen - SIA
(Security Integration Architecture)
sia_become_user (3) - su routine for SIA (Security Integration
Architecture)
sia_become_user (3) - su routine for SIA (Security Integration
Architecture)
sia_chdir (3) - Interface to the chdir system call - SIA (Security
Integration Architecture)
sia_chg_finger, sia_chg_password, sia_chg_shell (3) - SIA change routines
(Security Integration Architectu)
sia_chk_invoker (3) - Check invoker routine for SIA (Security Integration
Architecture)
sia_collect_trm (3) - Parameter collection routine for SIA (Security
Integration Architecture)
sia_collect_trm (3) - Parameter collection routine for SIA (Security
Integration Architecture)
sia_get_groups (3) - retrieve user's group information for SIA (Security
Integration Architecture)
sia_getpasswd, sia_getgroup (3) - interface to the getpw* and getgr*
routines for SIA (Security Integr)
sia_init (3) - initialization routine for SIA (Security
Integration Architecture)
sia_log (3) - Log events and errors - SIA (Security Integration
Architecture)
sia_make_entity_pwd (3) - Make entity password - SIA (Security Integration
Architecture)
sia_ses_init, sia_ses_authent, sia_ses_suauthent, sia_ses_reauthent,
sia_ses_estab, sia_ses_launch, sia_)
sia_ses_init, sia_ses_authent, sia_ses_suauthent, sia_ses_reauthent,
sia_ses_estab, sia_ses_launch, sia_)
sia_timed_action (3) - Time limit routine - SIA (Security Integration
Architecture)
sia_validate_user (3) - perform password validation for SIA (Security
Integration Architecture)
siad_chg_finger, siad_chg_password, siad_chg_shell (3) - Dependent SIA
change routines (Security Integrat)
siad_chk_invoker (3) - check invoker dependent routine for SIA (Security
Integration Architecture)
siad_chk_user (3) - check user dependent routine for SIA (Security
Integration Architecture)
siad_get_groups (3) - mechanism-specific routine called from
sia_get_groups to fill in a user's suppli)
siad_get_groups (3) - mechanism-specific routine called from
sia_get_groups to fill in a user's suppli)
siad_getgrent, siad_getgrgid, siad_getgrnam, siad_setgrent, siad_endgrent (3)
- group routines for SIA ()
siad_getpwent, siad_getpwuid, siad_getpwnam, siad_setpwent, siad_endpwent (3)
- password routines for SI)
siad_init (3) - initialization routine for SIA (Security
Integration Architecture)
siad_ses_init, siad_ses_authent, siad_ses_suauthent, siad_ses_reauthent,
siad_ses_estab, siad_ses_launch)
siainit (8) - SIA (Security Integration Architecture)
initialization command
sialog (4) - SIA (Security Integration Architecture) log file
�
From: KAMLIA::beau "Jim Seagraves OSF/1 TPEG 14-Jan-1997 1438" 14-JAN-1997 14:38:52.97
To: MROA::Mgreenfield
CC:
Subj: security stuff (including the APIs)
are documented on the V4.0 documentation CDROM. You
can view it on-line (assuming it's mounted locally).
It's in text, ps, and html form.
On our machine, it's up at:
http://tpegsrvr.zk3.dec.com/usr/share/doclib/online/
DOCUMENTATION/HTML/AA-Q0R2D-TET1_html/TOC.html
Compuware can read this locally if they have a machine
and V4.0 up.
thanks
Jim Seagraves
�
From: KAMLIA::beau "Jim Seagraves OSF/1 TPEG 14-Jan-1997 1548" 14-JAN-1997 15:48:16.79
To: MROA::Mgreenfield
CC:
Subj: C2 security API changes for V4.0
are in Chapter 18 of the Security Guide. Several
of the C2 security APIs you have in your mail
message have been replaced.
(for example)
getprpwnam ==> getespwnam
�
From: KAMLIA::beau "Jim Seagraves OSF/1 TPEG 14-Jan-1997 1607" 14-JAN-1997 16:07:09.70
To: [email protected]
CC: MROA::Mgreenfield
Subj: security questions update
Hi Paul-
I work in the ISV space for Digital (along with
Mike Greenfield). below are some answers to the questions
you have given to Mike Greenfield.
The "+" mark below marks new answers....
========
Jim Seagraves
Digital UNIX Technical Partnership Eng. Grp.
Digital Equipment Corp., MS: ZKO3-2/U20, Nashua NH 03062
Voice/FAX: +1.603.881.6199/6059, enet: [email protected], 2m: N1FFW
Company URL: http://www.unix.digital.com
==========
>1) Are european and us distribution media/kits the same for d unix?
>Need answer in terms of wrt enhanced security options.
The kits are the same.
>2) if you interface to security on a system with the us
>encryption stuff, Is the api identical to that use in europe?
yes, the same
>In other words, does the installation of the us encrytion algorithims
>change the api, how it is used or the existance of any of the utilities?
no
>>Are certain libraries present only if the enhanced encryption is
>>present?
not sure what you're asking -- enhanced security is in the
OSFC2SEC subset. libsecurity.a contains the various callable
APIs.
+(the answer here is yes).
>3) how do you tell (from an application) if the us encrytion
>stuff is present?
The default (base) encryption is installed with the
OSFBASE* subset. Enhanced security is optional (can be turned
on) when the OSFC2SEC* subset is installed.
>4) The isv seems to be using ocrypt calls only. If you are using
> ocrypt, does this means that you are not using the us encrypt
> stuff in either event?
** I don't know about ocrpyt. I have a call in to the security
+ group on this item. If this is the functionality found on ULTRIX,
+ see the Appendix C in the Security manual.
>5) Do any of the answers for the above questions chance if we are
>looking at them in the context of Dunix v3.2g verses v4.0?
Version 3.2g does not have a crypt (user level) command
available.
+ For enhanced security differences, see the Security manual
+ on the documentation CDROM that is distributed with V4.0.
+ The differences in the APIs are listed in Chapters 18.
+ The APIs are covered in Chapters 15-21.
------- End of Forwarded Message
�
From: KAMLIA::beau "Jim Seagraves OSF/1 TPEG 17-Jan-1997 1715" 17-JAN-1997 17:15:51.07
To: mroa::mgreenfield
CC:
Subj: compuware ok with secuirty features/APIs now ?
Hi Mike
Are you (and Compuware) more understanding of the
base and enhanced (C2 Security) issues/APIs now ? I
haven't heard back from either of you so I was wondering...
On a non-related note, Sarah (my boss) had asked me
about a V4.0 retrospective from the SPG, ISV, anyone
else that has good criticism on the porting and binary
certification process. Are there things we (USG)
can do differently to improve the work that
will have in the Steel time frame ? Any
things we did just plain wrong ? Besides
the VM bug that broke 3.0 to 4.0 binary
compatibility, did SPE/G see any others ?
Chuck Piper may also be in touch (I know he is working
up a formal question list).
Has SPE/G also done 4.0 retrospective internally?
I have an outline of what I thought were shortcomings.
I'd be happy to forward it if you'd like to critique
it.
thanks
Jim
|