System Administration Manager (SAM) - DMC HP-UX System Administrators Guide

SYSTEM ADMINISTRATION MANAGER (SAM)

USAM (UNIX System Administration and Management)

It is necessary to point out that, according to Government security standards, Hewlett-Packard's System Administration Manager (SAM), as delivered, leaves much to be desired with regard to system security. For this reason, among others, SSO Montgomery is providing DISA/DMC sites with a more secure product known as USAM.

The UNIX computers under DISA’s control should consider using USAM as the primary System Administration tool.

The policies and procedures for the installation and use of USAM can be found in the latest release of:

SOFTWARE USERS MANUAL (Latest Version)
System Administration Tools and Utilities
for UNIX Systems Administration and Management
by: Defense Information Systems Agency
SSO Montgomery
Open Systems Software Branch

and

SSO Load Instructions
SSO UNIX Systems Administration
and Management (USAM) Release SSO 01.00

………… portions of which are reproduced here, BUT, you need to get, read and comply with these two documents.

Overview -
The SSO release provides a standard method of securing, configuring, standardizing and managing the HP SOE environment for JOF operations, development and application platforms. It provides a set of tools and utilities for the SA with automated common procedures such as establishing crontab entries, adding users, log archiving and display.

UNIX Operating System -
HP-UX as received from PRC/HP does not load as a secure system and should not be run in the "out of the box" configuration. The product "out of the box" is a high security risk. If the SSO release is not used to secure and standardize the platform, the ISSO must take the responsibility to secure and manage the system using some other software. The SA will also have to standardize and setup many of the functions provided automatically by the SSO release.

The SSO release secures and standardizes the HP-UX 10.xx Operating System (OS) and should not be confused with the HP-UX itself. Refer to the HP-UX installation guidelines for information concerning HP-UX 10.xx. The SSO installation and setup scripts are also referred to as UNIX Systems Administration and Management (USAM) software. Please refer to the SSO load instructions delivered with the release tapes for details of the SSO installation.

HP-UX should be in a "trusted" configuration. (An easy way to check for a trusted system is check the /tcb/files/auth directory. If the directory is present, the system is probably in trusted configuration.) The SSO release will run in a non-trusted environment, but this is not recommended and could compromise the security of the system.

SSO Software -
The SSO USAM software is logically divided into three sections and loaded into three different directory structures. These three software sections together are collectively referred to as the SSO USAM. The first section is referred to as gateway (gw) and contains reporting and monitoring scripts associated with system monitoring and management platforms also referred to as gateway platforms. The second section is referred to as opsys (os), from the term operating system, and primarily supports the security, configuration, management and administration of the system for the local environment. The final section, lib, contains a standard set of libraries used by the gateway and opsys sections. It also contains a menu system for common, repetitive SA functions, and systems management agents that collect data that is reported back to gateway platforms. An additional directory referenced in the documentation is dev. This directory contains the development scripts that are used in maintaining the release. These scripts are not released to the field at this time. References are included in this document to provide the SAs with insight into the development and release process.

SSO Software Installation -
The SSO release is integrated into the environment after the HP-UX operating system. The release provides libraries, systems administration software, security, and gateway software to support the SOE.

NOTE: The SSO release should be loaded after the HP-UX operating system has been established and is operational. HP-UX should be loaded according to the SSO Montgomery HP-UX implementation guide.

Startup and Shutdown -
In keeping with the philosophy of making minimal changes to COTS products, the SSO USAM adds one process and two links to the standard HP-UX boot. The process is the [os]/sbin/init.d/rc_ak script which is placed in the operating systems /sbin/init.d directory. Companion links for this script can be found in /sbin/rc2.d. For bootup, the link is S990rc_ak and for shutdown, K001rc_ak. These links are used to start and stop the execution of rc_ak. The script executed by rc_ak is [os]/bin/rc. This process forces the opsys section to mimic the old HP-UX 9.xx method of starting and shutting down control processes. Mimicking this method provided a simpler transition for the SA and was easier for the SA to understand considering that this is the method that has been employed for several years. This also allowed the SSO release to limit changes to the HP-UX product and retain the previous startup and shutdown methodology. Files that are executed by [os]/bin/rc can be found in [os]/etc/rc2.d. Similarly, the shutdown processes can be found in [os]/etc/shutdown.d.

The system can, optionally, be rebooted or reset at midnight. The determination for which option occurs is controlled by the [os]/bin/shutdown process which executes at five minutes past midnight via the root crontab. The script checks a file in the [os]/config directory. The presence of the stop.shutdown file will force the system to "reset" by executing the [os]/bin/reset script. If this file is not present, the system does a full shutdown and restart using the /etc/shutdown command.

sam -
System Administration Manager (SAM), used by HP-UX operating system, is a menu driven systems administration utility that provides many features necessary for maintaining the HP-UX environment such as security, disk maintenance, networking, system generation, communications, printer interaction and configuration, and user administration. SAM information can be found in "System Administration Tasks Volume 1" and in "How HP UNIX Works". Please refer to these manuals concerning SAM and system operation on the HP 9000 computer.

Networking Software -
HP has a protective daemon that determines if a remote access attempt is valid prior to allowing access to the system via Internet. This software consists of a daemon (inetd), a configuration file (/etc/inetd.conf) and an associated access file (/var/adm/inetd.sec). The inetd daemon will not allow access to the system unless the IP address of the requesting remote is listed in the inetd.sec file. If the IP address is present, the inetd daemon will activate the proper daemon such as ftpd, telnetd, or tftp. Additionally the IP address should be identified in the /etc/hosts file. If it is not, access is allowed but a message is place into the /var/adm/syslog/syslog.log file identifying the access as a "connection from unknown". This information is also reported by the daily_check script.

The SSO release does not use this process but adds networking software of its own known as the tcpd wrapper or TCPD. This software is distributed through security channels and is used for all SSO releases. TCPD uses a method similar to the one described above. Access control, however, is through two control files located in /etc. These two files are the hosts.allow and hosts.deny files. Hosts.allow provides a list of IP addresses allowed to access the system by service. It also provides a hosts.deny file for all activities that are not allowed in hosts.allow. Mail will be sent to the tcpd-report alias for failed connection requests. This mail routine is controlled from within the hosts.deny file. The SA should set the recipients of the tcpd-report alias as required for the local environment.

Default Paths -
Various security alerts/warnings have been distributed through security directives and policies noting that the period (".") should not be in the PATH environment variable. A period in the PATH indicates that the current directory should be included in the PATH search. Unfortunately, HP-UX distributes this in their default profile. This provides a vulnerability allowing hackers an opening to exploit. For example, if a user is in the /tmp directory and executes telnet, the user is expecting the /usr/bin/telnet command to be executed since /usr/bin is in the default PATH. However, if a user also has period in their PATH, a hacker could place a similarly functioning telnet command in the /tmp directory. The hacker's version of telnet may capture the login and password information being supplied by the user. As a minimum, if the period is allowed in the PATH variable, it should be placed at the end of the PATH command and the SA should be aware that the security of the system has been reduced.

Standardization -
All "normal" userids on an HP-UX system should be standardized for the following reasons:

a. Identification. With telecommunications becoming a larger portion of the mission, systems like DDN will be used more extensively. Standard userids will help identify a user to a base and section more quickly.

b. Administration. A base with hundreds of userids can spend a lot of time in userid and password management alone. Standard userids will make it easier for the SA/ISSO to manage them properly.

c. Consolidation of Workloads. When two or more bases merge during a consolidation effort, there are bound to be userids which are duplicated on multiple systems. Non-unique userids will not conflict because they are used by either the system or central site management and the gaining site will take over responsibility of them from the losing site. It is highly undesirable, however, for there to be duplication among the userids that are used by the functional users. Standard userids will ensure uniqueness. Userids will be unique for all sites to facilitate multiple base workloads during contingency operations. This standard will allow the contingency system to contain a unique set of system userids that can be broken apart later.

d. An SA/ISSO at a local non-regionalized site can maintain a unique set of userids that could be merged to a regional site for contingency processing.

e. POSIX standards are currently being developed. Where possible, this manual attempts to take into account the requirements specified in the draft standards.

Adding Users -
Users running the SSO release are activated by using the /.opsys/bin/add_user script. This script will add the user to the appropriate password and group files and will also place the users information in the /etc/host and /etc/hosts.allow file. The script is easy to follow and prompts for information. There is currently no error checking within the script so bad IP addresses, for example, will not be identified to the SA as the script is executing. Erroneous information will have to be corrected manually by the SA. Use the following procedures for adding a user:

a. Get the following information from the user:

users name

office phone number

office symbol

IP address of the terminal

b. Validate the user and his requirement with the local ISSO.

NOTE: Ensure that you are Superuser (root), or you will not be allowed to use this script. If you show a # sign, but can’t use the script, you are a simulated root user and need to type in ‘su’ and hit return to become the actual root user.

c. Add the users information into the system using the [os]/bin/add_user script. Type in /.sso/.opsys/bin/add_user at the command line and press return.

d. The dialogue information that will be asked by the script file follows: The word choice: will appear at the bottom of the menu selections . Enter the number and hit enter to be prompt for information .

Login Id - Input the Login Id using the format specified in the Trusted Facility Manual.

User Id - The User Id (UID) number must be unique. The add_users script will automatically assign the next available UID for you or you can check the password file for the UID numbers in use.

Group Name/ ID - Input the name of the primary group of the user. The group assigned will depend upon the type of access the user needs to perform the duties associated with this particular system. Add_user script will default to users group if you do not specify a group.

Home Dir. - Add_user script will default to home/loginid if you do not specify a home dir.

Shell - Add_user script will default to /usr/bin/sh. Modify this line if you wish for the users shell to default to another shell type.

Full Name - Input users full name. This information is used as a way to track the user if they need to be personally contacted. Middle initials can also be entered here if necessary.

Office Symbol - Input users office symbol.

DSN Phone xxx-xxxx - Please supply the DSN telephone number of the user. If a DSN is not available, please include the commercial number along with the area cod e and extension. A commercial number might be needed for dealing with contract users.

Alt phone xxx-xxxx - Input users alt phone number.

IP Address/Alias - Input the IP address (space) alias. The alias could be the same as the login id. This information is used by the Accounting and Auditing files to track users and to allow or deny access to the system. This information is used to provide Internet access to the user. If the IP address is incorrect, the user will not be allowed access to the system.

Service - Input the name of the service user will be using. For example telnet. Hit enter, script will ask Addt’l service? Continue inputting other services such as ftp. Hit enter if there are no other services required.

Add Another User to the Update - For use in adding another user at this time.

Display Info - Selection of this number will display the following files: /etc/passwd, /etc/services, /etc/host, and /etc/host.allow.

Update these Users to System - Use of this option will update the system from it’s work files and establish the user’s standard profile and data into the system.

Exit - Use this option to exit the add_user script.

NOTE: After using this procedure, it will still be necessary to use SAM or the passwd command to give the user a password for access to the system.

If, for some reason, you did not use /.opsys/bin/add_user script to create the new user, you must manually edit the /etc/hosts and add the IP address of the user and, in the hostname field, a description of the person or location of the terminal, whichever is best. Also you must edit the /etc/hosts.allow file and add an entry containing the IP address and service for each of the services required by the user.

e. Issue the password or the access number to the user by an approved method of password
WWdistribution as specified in local procedures.

f. Coordinate this userid with the database and applications administrators.

SAM

The System Administration Manager is a menu-driven tool designed to perform typical system administration tasks without direct use of the underlying HP-UX commands. There are many benefits to using SAM:

Menus guide task selection, data entry, and option selection.

Tasks are easier (and quicker) to perform because you need not remember, or look up, complex command syntax.

SAM has the same "look and feel" on any HP 9000 system.

There are two SAM interfaces--an X window interface, and a character-mode (terminal) interface. Both have the same functionality, the difference being the means used to navigate through the menus. The X-window version uses a mouse and GUIs whereas the terminal version uses combinations of keystrokes.

There are some limitations to SAM, in that it does not support the full range of system administration command options. Specific cases where command-line administration is required are addressed elsewhere. Below is a roadmap of available SAM functions.

Accounts for Users and Groups ...
____

Groups
____

Users

Auditing and Security ...
____

Audited Events
____

Audited System Calls
____

Audited Users
____

System Security Policies

Backup and Recovery ...
____

Automated Backups
____

Interactive Backup and Recovery

Clusters ...
____

NFS Cluster Configuration

Disks and File Systems ...
____

Disk Devices
____

File Systems
____

Logical Volumes
____

Swap
____

Volume Groups

Kernel Configuration ...
____

Configurable Parameters
____

Drivers
____

Dump Devices
____

Subsystems

Networking and Communications ...
____

Bootable Devices ...>
________

DHCP Device Groups Booting From this Server
________

Devices for which Boot Requests are Relayed to Remote Servers
________

Fixed-Address Device Booting From this Server
____

DNS (BIND) ...
________

DNS Local Name Server
________

DNS Resolver
____

Internet Addresses
____

Name Service Switch
____

Network Information Service
____

Network Interface Cards
____

Network Services
____

Networked File Systems ...
________

Exported Local File Systems
________

Mounted Remote File Systems
____

System Access ...
________

Internet Services
________

Remote Logins
____

UUCP ...
________

UUCP Devices
________

UUCP Remote Systems

Peripheral Devices ...
____

Cards
____

Device List
____

Disks and File Systems ...
________

Disk Devices
________

File Systems
________

Logical Volumes
________

Swap
________

Volume Groups
____

Instruments
____

Printers and Plotters ...>
________

Print Requests
________

Printers and Plotters
________

Save/Restore Spooler Configuration
____

Tape Drives
____

Terminals and Modems
____

Uninterruptable Power Supplies

Printers and Plotters ...
____

Print Requests
____

Printers and Plotters
____

Save/Restore Spooler Configuration

Process Management ...
____

Performance Monitors ...>
________

Disk and Terminal Activity
________

Inter-Process Communication Facility Status
________

Processes with Highest CPU Usage
________

System Activity
________

Virtual Memory Activity
____

Process Control
____

Scheduled Cron Jobs

Routine Tasks ...
____

Backup and Recovery ...>
________

Automated Backups
________

Interactive Backup and Recovery
____

Find and Remove Unused Filesets
____

Selective File Removal
____

System Log Files
____

System Shutdown

Run SAM on Remote Systems

Software Management ...
____

Copy Software to Local Depot
____

Install Software to Local Host
____

List Software ...>
________

List Depot Software
________

List Installed Software
____

Remove Software ...>
________

Remove Software from Local Depot
________

Remove Software from Local Host

Time ...>
____

NTP Broadcasting
____

NTP Network Time Sources
____

System Clock

Adding, Deleting, Editing Groups -
Under normal circumstances, new groups will only be created when setting up a newly-authorized project. Some application software may require addition of a group name, in which case the needed details will be found in the installation instructions. In many such cases, the software installation script automatically creates needed group accounts. The following sections illustrate the steps needed for adding new group names to the HP System.

Adding a Group -
The following examples are taken from a color graphic monitor. A standard monochrome console monitor has no GUI representation.

Select Accounts for Users and Groups
____

Select Groups
________

Select the Actions pull-down menu
____________

then select theAdd option. The Add a Group Account dialogue box displays.

The following information is requested:
Group Name: Enter the name from the Project ID Request form.
Group ID: Enter the appropriate Group ID number.
Users to Include in Group (optional): A box containing a listing of system user ID’s is presented. All users needing access to this group should be selected (if known).

Enter the appropriate information in each field.
Click the OK button.

Deleting a Group -
Before removing a group, ensure that all files on the system having that group’s ownership have been either deleted, or assigned to another group. To obtain a listing of files/directories belonging to a group called "mygroup", do the following:

find / -group mygroup -print | more

A list will be generated listing the full directory path to each directory/file entry having mygroup as the owning group. This may take a while to complete.

Once you have completed dispositioning (like that word?) the files found by the above procedure, the group may be deleted using "SAM" as follows:

Follow the first three steps from Adding a Group

Select the group to be removed by highlighting the entry

Choose the Actions menu, and the Delete option

Click OK button to remove the group

Adding, Deleting, Editing Users -
In some DMCs a completed and approved User ID Request is required to authorize a new user account. To enter the System Administration Menu enter sam at the command line prompt. This displays the main SAM window.

Select Accounts for Users and Groups
____

Select Users - A listing of the current user accounts for the HP system displays
________

Select the Actions pull-down menu
____________

then select theAdd option. The Add a User Account dialogue box
______________displays.

The following information is requested:
Login Name: Enter the user ID
UID: Enter the UID number.
Home Directory: Enter /home/ and verify the "create home directory" box is checked.
Primary Group: Enter the user’s primary group membership.
Startup Program: Choose /usr/bin/ksh (korn shell) unless another shell is specified.
Login Environment: Three options are available, select shell (start-up Program)
Real Name: Enter the user’s name
Office Location: Enter the user’s Office Location
Office Phone: Enter the user’s work phone number
Home Phone: Optional
Set password Options:
Four options are available --

No Restrictions (Normal Behavior)

Force Password change at next login

Allow only super-user to change password

Enable Password Aging

Enter the appropriate information in each field.
Click the OK button.

Removing A User Account -
Before removing a user account, it is advisable to disposition (there it is again) all directories/files belonging to that user, either by deletion or re-assignment to another user ID. The steps to identify all directories/files owned by user olduser are as follows:

cd /

find . -user olduser -print | lp

A printout will be generated on the default system printer listing the full directory path to each directory/file entry having olduser as the owner. This may take a while to complete.
Once you have located all the files owned by the user by the above procedure, the user ID may be deleted using "sam" as follows:

Follow the first three steps from Adding a User

Select the user to be removed by highlighting the entry

Choose the Actions menu, and the Delete option

Click OK button to remove the account

The user’s files may be dispositioned (last time, I promise) as time permits.

Prepared by: Everette Smith, Impact Innovations Government Group, Inc.

Back

Continue